Security researchers have uncovered a stealthy cyber campaign abusing outdated FortiWeb web application firewall appliances to deploy Sliver command-and-control (C2) malware, giving attackers persistent access to victim networks across multiple regions.
The activity, revealed through open-directory threat hunting and infrastructure analysis, highlights a growing and uncomfortable reality: edge security appliances themselves are becoming prime targets, often operating with little visibility, telemetry, or endpoint protection.
The findings were published by CtrlAltIntel and are based on exposed Sliver databases, logs, and attacker infrastructure discovered during routine hunting.
What happened – and why it matters
During scans of exposed open directories using platforms such as Censys, researchers identified publicly accessible Sliver C2 databases and logs. These artifacts revealed that a threat actor had successfully compromised multiple FortiWeb appliances, deploying Sliver implants and maintaining long-term persistence.
Sliver is a powerful, open-source C2 framework commonly used by advanced threat actors and red teams. In the wrong hands, it enables remote command execution, lateral movement, credential harvesting, and proxying traffic through compromised systems.
What makes this campaign particularly concerning is not just the malware, but where it was deployed: perimeter security appliances that many organizations implicitly trust and rarely monitor as endpoints.
How attackers gained access
Analysis suggests the threat group relied on exploitation of public-facing vulnerabilities to gain initial access.
Key vectors included:
- React2Shell (CVE-2025-55182), a vulnerability used to remotely execute code.
- Exploitation of outdated FortiWeb appliances, some running versions as old as 5.4.x.
- Abuse of exposed services and weak visibility around edge devices.
While the exact FortiWeb vulnerability exploited remains unknown, all affected devices were running out-of-date firmware, reinforcing a recurring theme in appliance-based compromises.
Inside the command-and-control infrastructure
The attackers operated multiple Sliver C2 servers, including domains impersonating legitimate or regional entities:
- ns1.ubunutpackages[.]store – a fake “Ubuntu Packages” website used as C2 cover
- ns1.bafairforce[.]army – impersonating the Bangladesh Air Force recruitment site
These domains were backed by infrastructure hosted across multiple autonomous systems and were actively beaconed by compromised devices.
Recovered logs show that the primary Sliver C2 instance was created on December 22, 2025, with victims onboarded rapidly over the following eight days.
What was compromised
Most observed victims were FortiWeb appliances, but at least one non-FortiWeb Linux host was also compromised.
Key observations:
- Sliver binaries deployed to /bin/.root/system-updater on FortiWeb
- Persistence achieved via systemd services and Supervisor configuration
- Use of Fast Reverse Proxy (FRP) to expose internal services externally
- Deployment of microsocks, disguised as a CUPS printer service (cups-lpd), listening on port 515
This combination allowed attackers to blend into normal system behavior, evade detection, and proxy traffic through victim networks.
Victim profile and targeting
Analysis of recovered C2 data revealed 30 unique real victim IP addresses in just over a week.
Countries observed include:
- Pakistan
- Bangladesh
- Saudi Arabia
- United States
- India
- South Africa
- China
Notably, several victims appeared to belong to financial institutions and government-related organizations, particularly in South Asia, suggesting this campaign was targeted rather than purely opportunistic.
The use of Bangladesh-themed decoy infrastructure further supports the hypothesis of regional focus and reconnaissance-driven targeting.
Why this matters globally – and for MEA organizations
For organizations in the Middle East and Africa, this campaign reinforces a critical lesson:
Security appliances are not “set and forget” devices.
Many enterprises across MEA rely heavily on edge appliances such as WAFs, VPNs, and gateways, often without:
- Endpoint Detection and Response (EDR)
- Centralized logging
- Regular threat hunting
- Strict patch governance
Once compromised, these devices offer attackers privileged, stealthy access at the network perimeter, often invisible to SOC teams.
This is where continuous cybersecurity risk management, vulnerability assessment, and appliance hardening – such as those offered by Saintynet Cybersecurity – become essential, not optional.
Recommended actions for security teams (10 steps)
- Immediately audit all FortiWeb appliances and identify firmware versions in use.
- Patch or upgrade outdated FortiWeb devices to supported versions without delay.
- Restrict management interfaces to trusted IP ranges only.
- Search for indicators of compromise, including suspicious binaries like system-updater or cups-lpd.
- Review systemd and Supervisor configurations for unauthorized services.
- Monitor outbound traffic from appliances for unexpected C2 communications.
- Deploy network-based detection controls for edge devices that cannot run EDR.
- Rotate credentials and API keys potentially exposed via compromised systems.
- Conduct periodic external attack surface monitoring using tools like Censys or Shodan.
- Train SOC and infrastructure teams on appliance-focused threat hunting through specialized programs at training.saintynet.com.
The bigger picture
This campaign exposes a dangerous blind spot in modern enterprise security: the lack of visibility into network appliances that sit at the very edge of our environments.
The attackers did not rely on zero-days alone. They relied on:
- Poor patch hygiene
- Limited monitoring
- Trust assumptions around security devices
As attackers continue shifting “left” and “outward” toward supply chain components and edge infrastructure, organizations must adapt their defenses accordingly.
Conclusion
The FortiWeb–Sliver campaign is a stark reminder that security appliances are high-value targets, not immune systems. Without proper patching, monitoring, and threat visibility, they can become silent gateways for advanced attackers.
For CISOs, SOC leaders, and infrastructure teams worldwide – and especially across MEA – the message is clear:
If you can’t see your edge, you can’t secure it.
