RedGolf, a sophisticated threat actor with ties to APT41, provided a rare insight into its operational toolbox after a directory on their attack infrastructure was briefly exposed.

The server, linked to KeyPlug malware activities, inadvertently revealed a comprehensive arsenal of exploitation tools, reconnaissance scripts, and post-compromise utilities targeting Fortinet devices and a major Japanese corporation.

RedGolf Operations Exposed

Security researcher Jane_0sint first highlighted the server at IP 154.31.217.200 on social media, noting its connection to RedGolf operations. 

Further investigation revealed it shared a WolfSSL-issued TLS certificate with five other servers hosted on Vultr. 

Among these servers, 45.77.34.88 exposed a directory through a Python SimpleHTTP server for less than 24 hours, providing researchers an unfiltered view of the group’s operational files.

The WolfSSL certificate details included:

Subject Common Name: www.wolfssl.com.

Subject Organizational Unit: Support_1024.

SHA-256 Fingerprint: 4C1BAA3ABB774B4C649C87417ACAA4396EBA40E5028B43FADE4C685A405CC3BF.

Zero-Day Exploitation of Fortinet Devices

Hunt.io reports that among the exposed files, ws_test.py, which appears to automate exploitation of Fortinet WebSocket CLI vulnerabilities similar to CVE-2024-23108 and CVE-2024-23109. 

The script targets unauthenticated WebSocket endpoints in FortiOS versions 7.0.0 to 7.0.15 to execute privileged commands:

The script subsequently sends a payload to bypass authentication and execute administrative commands:

Files within the exposed directory indicate RedGolf has been actively targeting Shiseido, a prominent Japanese cosmetics company operating in 120 countries. 

A file named alive_urls_20250305_090959.txt contained nearly one hundred Shiseido domains focusing on authentication systems, internal portals, and identity providers.

The attackers employed script.py, a CDN fingerprinting tool designed to identify unprotected assets by checking for the absence of CDN-related HTTP headers like CF-RAY or Akamai-Cache-Status.

Post-Exploitation Toolkit

The exposed arsenal included sophisticated post-exploitation tools:

bx.php – A compact PHP webshell that receives AES-128 encrypted commands, decrypts them with the key a75d6a841eafd550, and executes them without leaving traces in logs.

client.ps1 – A PowerShell reverse shell that establishes encrypted communication with the control server:

An ELF binary named Server that operates as a command-and-control interface for managing compromised systems.

This rare exposure provides cybersecurity professionals an uncommon opportunity to understand the sophisticated tactics employed by nation-state affiliated threat actors. 

For Fortinet customers, it highlights the urgent need to patch devices and implement additional monitoring for WebSocket exploitation attempts.

Security experts recommend organizations use Fortinet products to immediately update to the latest firmware versions and monitor for suspicious access patterns to CLI endpoints, particularly those involving WebSocket connections or forwarded headers indicating local access attempts.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy