Listen to this Post

A new cybersecurity investigation has revealed a sophisticated threat campaign targeting outdated FortiWeb appliances worldwide. Hackers are leveraging these unpatched devices to deploy the Silver Command-and-Control (C2) framework, maintaining long-term access across multiple organizations. This incident highlights the risks posed by legacy security infrastructure and the increasing trend of attackers exploiting overlooked network edge devices.
Summary of the Campaign
Researchers conducting open-directory threat hunting on Censys discovered exposed Sliver databases and logs, showing extensive compromise activity. The affected FortiWeb appliances were largely running outdated versions, specifically 5.4.202 through 6.1.62, missing modern detection and monitoring capabilities.
Initial access appears to have been achieved through public-facing services vulnerable to React2Shell (CVE-2025-55182) and other unpatched FortiWeb flaws. While the exact exploit remains unclear, the attackers used these outdated appliances to deploy the open-source Sliver C2 toolkit. The Sliver binary was disguised as system-updater and installed at /bin/.root/system-updater.
Two primary C2 servers—ns1.ubunutpackages[.]store and ns1.bafairforce[.]army—acted as command hubs, both registered under Autonomous System 62005. The servers were masked behind fake websites, including a counterfeit “Ubuntu Packages” page and a Bangladesh Air Force recruitment imitation. This Bangladesh-themed infrastructure aligns with the majority of victims located in the country, indicating a highly targeted campaign.
Between December 22 and 30, 2025, researchers identified 30 unique victim IPs beaconing to these Silver instances, spanning Bangladesh, Pakistan, India, South Africa, and the United States.
To ensure persistence, the attackers created malicious systemd and supervisor services named Updater Service and rootbinary, ensuring Sliver automatically ran at boot or after process failure, following MITRE ATT&CK T1543.002 techniques.
Additionally, the threat actor deployed the Fast Reverse Proxy (FRP) tool from a public server to expose internal networks externally, turning compromised FortiWeb devices into proxy nodes. Microsocks was also used for SOCKS proxying, disguised as cups-lpd to resemble legitimate CUPS printing services on port 515. This binary contained optional hard-coded credentials for remote authenticated access, further amplifying risk.
The campaign underscores the dangers of outdated edge appliances lacking endpoint protection and active threat telemetry. Without proper monitoring, these devices offer adversaries ideal footholds for deploying post-exploitation frameworks such as Sliver, enabling stealthy and prolonged access across enterprise networks.
What Undercode Say:
The FortiWeb Silver C2 campaign represents a textbook example of how attackers exploit neglected network infrastructure. Outdated appliances, especially those exposed to the internet, are prime targets for automated reconnaissance and exploitation. Threat actors are increasingly combining multiple tactics to maximize operational efficiency:
Targeted Exploitation – The use of Bangladesh-themed infrastructure suggests careful victim selection rather than opportunistic scanning. This reflects a strategic understanding of regional targets and the networks most likely to be vulnerable.
Persistence Mechanisms – The deployment of disguised system services ensures that even after reboots or crashes, the malware remains active. This technique is particularly dangerous in appliances where administrators rarely check running services.
Proxy & Lateral Movement – By integrating FRP and Microsocks, attackers convert compromised devices into pivot points, exposing internal networks to external control. This can bypass traditional firewall rules and internal monitoring.
Open-Source C2 Leveraging – The use of Sliver, an open-source C2 framework, highlights a trend: sophisticated attacks no longer rely solely on proprietary malware. Open-source tools allow threat actors to reduce development costs while maintaining advanced capabilities.
Operational Security & Deception – Fake websites mimicking legitimate services obscure the attackers’ presence and complicate attribution, while hard-coded credentials enable rapid lateral expansion.
Global Reach – The campaign’s geographic footprint—Bangladesh, Pakistan, India, South Africa, and the US—demonstrates how unpatched devices anywhere can become global attack vectors, underscoring the interconnectedness of enterprise networks.
Underappreciated Edge Security – Organizations often focus on endpoint detection or cloud security but overlook network edge appliances. The campaign proves that neglected devices remain a weak link, capable of enabling long-term, undetected compromise.
Early Warning & Threat Hunting – Researchers leveraged open-directory scanning to uncover the operation. This emphasizes the importance of proactive threat hunting to detect compromised devices before they become major footholds.
Need for Timely Updates – Most victims were running FortiWeb versions several years old. Patch management remains critical; failing to update devices directly translates to operational risk.
Risk to Sensitive Sectors – The Bangladesh Air Force mimicry suggests attackers may aim at government or critical infrastructure, which could have significant geopolitical implications.
In essence, this campaign highlights the intersection of outdated infrastructure, open-source exploitation tools, and advanced operational security tactics. Organizations ignoring appliance lifecycle management and visibility risk becoming unwitting participants in global cyber operations.
Fact Checker Results
✅ Confirmed: Vulnerable FortiWeb versions exploited (5.4.202–6.1.62).
✅ Confirmed: Silver C2 framework used with disguised binaries.
❌ Unconfirmed: Exact exploit for FortiWeb is not publicly detailed.
Prediction
🌐 This campaign signals a likely increase in attacks targeting outdated network appliances, particularly in regions with slower patch adoption.
🔒 Organizations that fail to integrate telemetry and monitoring on legacy devices may face persistent, hard-to-detect compromises.
⚡ Expect threat actors to increasingly combine open-source C2 tools with deceptive infrastructures to evade detection and expand global attack surfaces.
If you want, I can also create a visual attack flow diagram showing how FortiWeb devices were compromised and used as proxy nodes—this would make the article even more engaging and clear. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




