Threat actors are exploiting outdated FortiWeb web application firewall appliances to deploy Sliver, an open-source command-and-control framework, enabling long-term and stealthy access to compromised environments.
The activity was uncovered during open-directory threat hunting using internet scanning data from platforms such as Censys and Hunt.io.
According to the research, attackers gained initial access by exploiting publicly exposed vulnerabilities, including React2Shell (CVE-2025-55182), alongside unidentified flaws in unpatched FortiWeb devices.
Once inside, the group deployed Sliver implants to establish persistent command-and-control (C2) channels, primarily targeting internet-facing security appliances that often lack endpoint detection and response controls.
“This is a textbook case of adversaries exploiting the weakest link in the network, outdated edge appliances,” Ensar Seker, CISO at threat intelligence company SOCRadar, told Expert Insights. “FortiWeb devices running unpatched firmware have become prime targets for initial access, and the deployment of the Sliver C2 framework shows how mature and stealthy these operations have become.”
Blending In With Legitimate Services
Analysis of exposed Sliver databases and logs revealed that most infected hosts were running older FortiWeb versions, with victims observed across the US, South Asia, Africa, and East Asia. The attackers disguised malicious binaries as system utilities then placed them in hidden directories, such as /bin/.root/, to avoid casual detection.
To maintain access, the group configured Linux persistence mechanisms, including system services and modified supervisor processes. These tactics align with MITRE ATT&CK persistence methods and are designed to automatically restart malware after reboots.
The campaign also leveraged Fast Reverse Proxy (FRP) to expose internal services externally and used a renamed microsocks binary masquerading as a legitimate printing service on port 515. This allowed attackers to quietly proxy traffic through victim devices while blending into expected network behavior.
Researchers noted that attackers registered C2 domains and hosted decoy websites impersonating legitimate services, including software repositories and regional government recruitment pages. This tactic likely helped reduce suspicion and tailor operations toward specific geographic targets.
“This incident [highlights] the importance of aggressive patch management, zero-trust architecture, and strong monitoring of ingress/egress traffic from non-endpoint infrastructure like WAFs and VPN gateways,” Seker added. “Simply deploying EDR is no longer enough if attackers can establish a persistent beachhead on devices outside its scope.”
