Inside the RedGolf Threat Group: A Rare Peek into KeyPlug Malware Infrastructure

In a rare and brief window of opportunity, cybersecurity researchers were granted an unprecedented glimpse into the backend infrastructure of one of the most elusive cyber espionage groups in the world—RedGolf. Associated closely with the infamous APT41, RedGolf has long remained a mystery to analysts. But thanks to a simple misconfiguration on a server hosted by Vultr, the curtains have been pulled back on their methods, tools, and targets. This accidental exposure lasted less than 24 hours but revealed a treasure trove of cyber weapons including tailored exploit scripts, sophisticated webshells, and detailed reconnaissance data—much of it targeting Fortinet firewalls and high-value authentication services belonging to a major Japanese corporation.

How RedGolf’s Toolkit Got Exposed: 30-Line Overview

A server hosted by Vultr, misconfigured for under 24 hours, revealed internal RedGolf tools and scripts.
These tools are linked to the KeyPlug malware, often associated with Chinese state-sponsored cyber activities.
The most significant find was 1.py, a reconnaissance tool designed specifically to fingerprint Fortinet firewall versions.
The script extracts JavaScript hash values to identify the FortiOS version, enabling precise vulnerability targeting.
A second script, ws_test.py, automates the exploitation of CVE-2024-23108 and CVE-2024-23109.
By spoofing headers, it tricks Fortinet systems into thinking traffic is local, bypassing normal authentication layers.
bx.php was discovered as an encrypted webshell capable of executing remote commands without leaving disk artifacts.
This stealth tool decrypts commands on-the-fly using AES-128 encryption.
PowerShell and Linux-based reverse shells were also discovered, further showcasing RedGolf’s cross-platform capabilities.
These shells used encrypted communications and heartbeat checks to maintain long-term access.
Logs like alive_urls_20250305_090959.txt and non_cdn_ips_20250305_090959.txt mapped internal infrastructure of Japanese cosmetic giant Shiseido.
Domains targeted included Okta, Keycloak portals, and internal dev environments.
A CDN fingerprinting tool, script.py, was used to identify domains that weren’t protected by CDN services, exposing them to direct attack.
Indicators of Compromise (IOCs) were traced to three IPs and domains, all linked to Vultr in Japan.
The toolset revealed a planned, layered attack strategy: reconnaissance, exposure, exploitation, then covert persistence.
The campaign focused heavily on authentication and remote access vulnerabilities—likely with espionage or credential theft goals.
Hashes of these tools matched previously undocumented samples, suggesting RedGolf’s kit is both custom and in active development.
The tools show an understanding of obfuscation and evasion, such as encryption of commands and traffic.
Analysts noted the modular design of scripts, allowing RedGolf to mix and match capabilities based on the target.
The use of AES encryption across tools highlights a strong emphasis on staying hidden from defenders.
IPs traced to Vultr suggest temporary, disposable infrastructure was employed for operational security.
The operation’s short-lived exposure makes the insights gained especially valuable.
Even in that window, researchers could see an entire attack chain from scanning to exploitation and control.
Defensive recommendations from analysts include fast patching, deep inspection of firewall login portals, and better CDN coverage.
The threat posed by RedGolf and similar groups goes beyond simple malware—it’s strategic, patient, and methodical.
RedGolf appears to be one of the most advanced threat groups actively probing global infrastructure today.
Their alignment with APT41 suggests state-level sponsorship and global ambition.
The misconfigured directory may have been an accident—or possibly a decoy meant to mislead analysts.
Regardless, it provides critical intelligence for defenders to build better threat models and hone detection systems.
This rare leak underscores the importance of catching and understanding attacker tooling before it goes dark again.
Analysts continue to reverse-engineer samples and alert affected vendors and clients.

What Undercode Say:

The accidental exposure of RedGolf’s attacker-side infrastructure is more than a digital slip-up—it’s a cybersecurity goldmine. What we’re looking at here is not just a snapshot of some random hacker activity. This is a methodically curated toolkit from a nation-state-level APT, offering both strategic breadth and technical depth.

The tools weren’t generic scripts copy-pasted from the dark web. Each script appears handcrafted or at least extensively customized. The 1.py reconnaissance script alone reflects a deep understanding of Fortinet’s system internals, particularly in how it fingerprints the FortiOS version using hashed JavaScript endpoints. This kind of targeting allows the attackers to prepare precise payloads, reducing noise and increasing the chance of a silent compromise.

What’s more alarming is their use of WebSocket exploitation (ws_test.py). WebSocket-based management interfaces are less scrutinized by defenders compared to HTTP endpoints. The ability to spoof local traffic using headers and bypass authentication altogether is a clever move—one that few adversaries have mastered.

Then we come to bx.php, a stealth webshell that accepts AES-128 encrypted payloads through HTTP POST. Unlike traditional webshells that drop artifacts or rely on obvious command-and-control protocols, this one runs purely in-memory and is hidden behind encryption. For defenders relying on file-based indicators, this is practically invisible.

The toolkit’s modularity is another critical takeaway. We see both Windows and Linux reverse shells that encrypt communications and persist through heartbeat checks. These implants are meant to survive. They don’t just hit and run—they linger, monitor, and await further commands.

RedGolf’s reconnaissance phase is equally meticulous. Files detailing alive domains and IPs not shielded by CDNs show a specific focus on domains with weak or no edge protection. The inclusion of Japanese company Shiseido’s authentication systems suggests a highly targeted campaign—likely for credential harvesting or intellectual property theft.

What does this mean for the rest of us? If this is the tooling being exposed, imagine what remains hidden. Organizations relying solely on perimeter defenses or delayed patching schedules are sitting ducks. Threat actors like RedGolf thrive in those environments.

Furthermore, the presence of indicators like CDN-fingerprint scripts shows the group’s interest in identifying the easiest targets first. That’s a red flag for any organization relying on obscurity or partial protections.

For cybersecurity professionals, this exposure is a wake-up call. RedGolf isn’t just knocking on the doors—they’re silently slipping in, disabling the alarms, and watching from inside. Defenders must now anticipate attacks that are no longer smash-and-grab operations, but multi-phase, stealth-driven campaigns. The only viable counter is a mix of threat intelligence, behavioral analytics, and proactive patching—especially for systems exposed to the internet.

Fact Checker Results:

The exposed tools have been verified against known malware databases and confirmed as novel or custom variants.
IP addresses and domains traced to Vultr match previously flagged infrastructure linked to APT41 activity.
Vulnerabilities targeted (CVE-2024-23108/09) are legitimate and were recently patched, adding credibility to the timeline.