“Sliver” in the Stack: Exposed Logs Reveal Targeted FortiWeb Exploitation Campaign

A sophisticated threat actor has been caught leveraging exposed logs and databases to orchestrate a targeted campaign against FortiWeb appliances, using the open-source Sliver C2 framework to maintain persistent access. Threat researcher c0baltstrik3d uncovered the operation during routine open-directory threat hunting, revealing a tactical blend of modern exploits and classic deception.

The campaign, which onboarded 30 unique victims in just eight days between December 22 and December 30, 2025.

The attackers didn’t just stumble onto these devices; they used specific, high-impact exploits. The analysis indicates the group “leveraged React2Shell (CVE-2025-55182) in order to deploy Sliver” on victim hosts.

While the exact method used to breach the FortiWeb appliances remains unconfirmed due to a lack of a recovered Proof of Concept (POC), the researcher noted that “Analysis of these databases, logs and the corresponding infrastructure indicated the threat actor had successfully exploited multiple FortiWeb devices”.

Once inside, the attackers focused on persistence and stealth. They deployed Fast Reverse Proxy (FRP) to “expose local services on victim hosts remotely,” allowing them to bypass firewalls and maintain a lifeline to the infected devices.

In a clever move to blend in with legitimate traffic, the group also used a tool called microsocks, renaming the binary to cups-lpd and binding it to port 515. This port is typically used by the Linux CUPS Line Printer Daemon, making the malicious traffic look like standard printer communication.

“The use of a renamed microsocks binary (cups-lpd), bound to port 515 to masquearade as CUPs… highlights the effort the threat actor has taken to blend in and attempt to persist”.

The campaign appears to have specific geopolitical interests. One of the Command and Control (C2) domains, ns1.bafairforce[.]army, hosted a decoy page impersonating the “Join Bangladesh Airforce” recruitment site.

“The use of Bangladesh-themed decoy pages and C2 infrastructure aligned with some interesting Bangladesh victims found within the databases, suggesting this operation was more targeted than opportunsitic”.

Victim analysis confirmed this focus, with “Multiple victims were observed in Pakistan and Bangladesh, including organisations in the financial and government sector”.

“These attacks highlight a massive blindspot in visibility and telemetry for organisations using edge appliances like FortiWeb,” c0baltstrik3d warns. “These devices typically don’t have inbuilt AV/EDR… This makes sufficently and effectively threat hunting for this activity, on appliances, incredibly difficult”.

Related Posts:

• ZERO-DAY ATTACK WARNING: Fortinet FortiWeb Exploit Grants Unauthenticated Admin Access!
• DLL Sideloading & Proxying: New Campaign Delivers Sliver Implants to German Targets
• Fortinet Fixes Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257, CVSS 9.6)
• FortiWeb SQL Injection (CVE-2025-25257) Added to CISA KEV After Active Exploitation, PoC Available!
• CVE-2025-25257 (CVSS 9.6): Pre-Auth SQLi in Fortinet FortiWeb Opens Door to RCE, PoC Published