Cybersecurity researchers recently uncovered a server linked to the KeyPlug malware, used by the threat group RedGolf (also known as APT41). The server was accidentally exposed for less than 24 hours but revealed valuable insight into the group’s advanced attack methods.
KeyPlug Server Malware
The exposed server appeared to be a staging area for active cyberattacks. Among the tools found were scripts targeting Fortinet firewalls and VPNs.
One of the key discoveries was a Python script named 1.py, which scans Fortinet devices to identify version-specific JavaScript hash values. This helps attackers choose the most effective exploit for each system.
The leak offers a rare look into the inner workings of a sophisticated threat group and highlights the ongoing risk to enterprise security infrastructure.
Further analysis uncovered script.py, used to identify internet-facing CDN systems, and ws_test.py, which exploits Fortinet WebSocket CLI flaws by spoofing local IPs to bypass access controls and run commands without authentication.
Malicious Tools Found in KeyPlug Server Leak
The leaked server also contained bx.php, an encrypted PHP webshell used for remote command execution. It decrypts commands in real time, making activity harder to trace.
Another file, client.ps1, was a PowerShell reverse shell that maintains encrypted communication over TCP for stealthy post-exploitation control.
An ELF binary named Server was also found, acting as an HTTP listener on port 8080. It lets attackers manage sessions, send commands, and control compromised systems.
This brief exposure gave researchers a rare look at the advanced tools used by RedGolf/APT41. It also highlights the need to monitor for even short-lived malicious infrastructure and ensure Fortinet systems—especially SSL VPNs—are fully patched.
Security teams should watch for signs of automated access attempts or unusual activity that may signal similar reconnaissance or attacks.
Indicators of Compromise (IOCs)
| Filename | SHA-256 Hash |
| systemed-dev | 53a24e00ae671879ea3677a29ee1b10706aa5aa0dccd4697c3a94ee05df2ec45 |
| 1.py | 09b220a315ea0aebae2de835a3240d3690c962a3c801dd1c1cf6e6e2c84ede95 |
| bx.php | 7146774db3c77e27b7eb48745aef56b50e0e7d87280fea03fa6890646af50d50 |
| client.ps1 | c8d2b2ba5b6585584200ca46564b47db8048d748aefbdfe537bceaf27fb93ad7 |
| script.py | 2386baf4bf3a57ae7bca44c952855a98edf569da7b62bb0c8cbe414f1800d2b6 |
| Server | f21a7180405c52565fdc7a81b2fb5a494a3d936a25d1b30b9bd4b69a5e1de9a3 |
| ws_test.py | 98261d1f92ae8f7a479bc5fc4d0a8d6a76c0d534e63e9edbc2d6257a9ba84b9d |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment