When WAF Becomes a Backdoor: Inside the FortiWeb Campaign Compromised by Sliver C2
From WAF devices to C2 relays: A sophisticated attack campaign has just been discovered on FortiWeb systems aimed at maintaining long-term control.
Overview
For a long time in security architecture, the FortiWeb Web Application Firewall (WAF) has been considered a frontline defense layer. Here, the WAF is responsible for protecting against external scanning attacks on web applications. However, a recent campaign targeting this defense layer has shown that the line between defense and attack has never been so close.
Recently, researchers discovered a stealthy infiltration campaign where attackers exploited outdated FortiWeb devices to deploy Sliver C2, a powerful post-exploitation framework often used in APT and red-team activities. Instead of just gaining temporary access, the attackers turned FortiWeb into a long-term control infrastructure, serving as both a persistence point and a proxy bridge into the internal network, as well as a springboard for further in-depth attacks.
Overview of Sliver C2
Sliver is an open-source Command-and-Control (C2) framework initially developed for red team and adversary simulation activities, but in recent years, it has been widely used by real-world threat groups (in-the-wild) in sophisticated infiltration campaigns.
Unlike many traditional C2s, Sliver is designed with a modern client-server architecture, supporting multiple platforms (Linux, Windows, macOS) and allowing for highly customizable implant (beacon) deployment.
One of the standout features of Sliver is its ability to remain stealthy and flexible in C2 communication. This framework supports multiple protocols like mTLS, HTTPS, DNS, WireGuard, making control traffic hard to distinguish from legitimate traffic. Sliver also allows configuration of sleep interval, jitter, and domain fronting to minimize the chance of detection by network monitoring systems.
Affected Versions
This campaign primarily targets FortiWeb devices running outdated firmware that is no longer fully supported. The recorded versions include:
- FortiWeb 5.4.202 to FortiWeb 6.1.62
Initial Context
From the initial analysis, cybersecurity experts noted that the attacker might have used multiple public and unpatched vulnerabilities to infiltrate. Notably, this includes React2Shell (CVE-2025-55182) - a shell exploit tool used as the initial infection step.
Although the exact FortiWeb vulnerability exploited directly has not been identified, the common factor among all affected devices is that they have not been patched for a long time and have many unresolved security flaws.
Campaign Details
To better understand the impact and danger level of Silver C2 on this campaign, we will go through the exploitation process from the perspective of Threat Intelligence.
Every cyber attack includes a reconnaissance phase and the selection of specific targets. During this phase, attackers perform mass scanning to identify FortiWeb devices:
FortiWeb exposed directly to the Internet.
Old firmware versions that show signs of not being updated.
Administrative interface or web services that respond with FortiWeb-specific characteristics.
After identifying the target, the attacker will exploit unpatched vulnerabilities on FortiWeb. Although there is currently no clear evidence of the CVE being exploited, it is highly likely that the attacker will take advantage of n-day vulnerabilities not widely disclosed or a chain of logic exploits/misconfigurations. By exploiting these, the attacker aims to gain command execution capabilities on the security device.
Once they have access, the attacker will download and deploy the Sliver Implant through the C2 server:
ns1.ubunutpackages[.]store
ns1.bafairforce[.]army
Both C2 servers belong to Autonomous System 62005, disguised behind fake websites like the “Ubuntu Packages” page or the Bangladesh Air Force recruitment page.
To avoid detection, the Sliver file is renamed to "system-updater" and placed at the path "/bin/.root/system-updater", disguising itself as a legitimate system component. Its task at this stage is to gather system information and establish a beacon connection back to the C2.
Then the Sliver implant connects back to the C2 server through:
HTTPS or mTLS.
Periodic beacons with sleep + jitter.
Domain/IP configured to:
Return legitimate content when accessed via a browser.
Reduce the chance of detection during manual analysis.
At this point, FortiWeb has unintentionally become a remote-controlled node in the Sliver infrastructure, turning it into a foothold for further attack steps in later stages.
To ensure long-term access, the attacker will create a service that starts with the system:
Add the Sliver implant to the supervisord configuration.
Ensure the process is restarted if killed.
After establishing a stable C2 channel and persistence mechanism on FortiWeb, the attacker moves to a strategic phase: turning this security device into a pivot point to gain deeper access into the organization's internal network.
Here, they will install a lightweight SOCKS proxy (microsocks) directly on FortiWeb, with notable points being:
Rename the process to
cups-lpd.Run on port 515 – the default port for the CUPS printing service.
Avoid creating clear logs.
Through the SOCKS proxy, the attacker can easily access: internal web, SSH/RDP, or simply the backend API. This can be seen as a "gateway" into the internal network without needing manual port-forwarding.
In addition to the SOCKS proxy, the campaign also uses Fast Reverse Proxy (FRP) to:
Create a tunnel from the Internet → FortiWeb → internal systems.
Expose internal services externally in a controlled manner.
Avoid opening ports directly on the firewall.
Between December 22 and December 30, 2025, researchers recorded at least 30 victim IP addresses continuously beaconing to the Sliver server, from countries like Bangladesh, Pakistan, India, South Africa, and the United States.
The disguise and concealment of the campaign are also very clever, as the attacker configured malicious systemd and supervisor services, disguised under names like "Updater Service" and "rootbinary." These services automatically launch Sliver whenever the system reboots or when the process is stopped, corresponding to the MITRE ATT&CK T1543.002 - Create or Modify System Process technique.
Conclusion
The FortiWeb – Sliver C2 campaign highlights a concerning reality in today's cybersecurity landscape: security devices are no longer a "default safe zone." When frontline appliances like FortiWeb are exploited and controlled, the entire defense architecture behind them is at high risk without needing direct attacks on endpoints or internal servers.
The successful deployment of Sliver C2 on FortiWeb not only reflects the flexibility and danger of modern post-exploitation frameworks but also exposes inherent gaps in how organizations manage network devices: slow patching, lack of operating system-level monitoring, and blind trust in devices considered "secure by default."
The lesson is clear: security is not just about deploying the right tools, but about how they are operated, updated, and continuously monitored. If security devices are not properly protected, they can quickly become the most dangerous weak point in the entire system.
Recommendations
Check and update FortiWeb immediately (High Priority)
Identify the current firmware version of all FortiWeb devices in the system.
Upgrade to the latest FortiWeb version supported by Fortinet, prioritizing recent security patches.
Do not maintain versions that are:
EOL (End-of-Life).
No longer receiving security patches.
Monitor unusual network traffic
Analyze outbound traffic from FortiWeb:
Periodic HTTPS/DNS connections to the Internet.
Domains unrelated to Fortinet.
Block and monitor:
- Known C2 domains/IPs related to Sliver.
Set up egress filtering:
- FortiWeb should only connect to necessary endpoints (update, logging).
Control administrative access
Restrict access to the FortiWeb management interface:
Allow only from trusted internal IPs.
Do not expose the management interface to the Internet.
Enable:
MFA for admin accounts.
Detailed logging of administrative actions.
Change all:
Admin passwords.
API keys/related credentials.
Network segmentation and limit internal pivoting
Place FortiWeb in a clearly segmented network zone.
Do not allow FortiWeb to:
Freely access sensitive subnets.
Directly connect to management systems, databases.
Apply:
Internal ACLs.
Zero-Trust Network Access (ZTNA).
ATT&CK Summary by each stage
Initial Access – Exploit Internet-facing Device
- T1190 – Exploit Public-Facing Application
Execution & Persistence – Implant Deployment and Long-Term Persistence
T1059 – Command Execution
T1543.002 – Systemd Service
Command & Control – Covert Control
T1071 – Application Layer Protocol
T1573 – Encrypted Channel
Defense Evasion – Detection Avoidance
T1036 – Masquerading
T1027 – Obfuscated Files
Pivoting & Lateral Movement – Most Dangerous
T1090 – Proxy
T1572 – Protocol Tunneling
IOC
File Hash
4086057b9a0f9898c07318e093814ae9cfdaaf6ad71a45b2d0d4cd75e57f9354
964473ffbd593fc52a779b1d699c79cc66b459cf842c2e6221703e2e6a2322c0
172a9ee9601ef0eb6fbd2676742edfb201c10369712dbf721e5d105aa1320a32
3c24f30f2ca89d408d42293cab8fbb81cb9c2b0801074ef40f0a79770dac5956
2897ee24de4cca2a4c6a085cf6fdccb6a89c6c23978529d81b4f4e6db46b0b96
dafc7517669e931de858464966af995c44c2e7c6bdf684d53c54d6503cd48a38
Domain
testing.caai[.]in
ns1.bafairforce[.]army
ns1.ubunutpackages[.]store
IP
193.233.201[.]12
195.20.17[.]253
45.150.108[.]43
45.143.167[.]7
80.78.18[.]142
192.81.210[.]81
45.83.181[.]160
193.233.201[.]12
45.150.108[.]43
80.78.18[.]142
192.81.210[.]81
