KeyPlug Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company

A briefly exposed open directory on infrastructure attributed to RedGolf/APT41 and linked to KeyPlug revealed exploit scripts targeting Fortinet VPN/firewall (including WebSocket CLI exploits), a PHP AES/XOR webshell, PowerShell and Linux reverse shells, reconnaissance outputs (notably targeting Shiseido authentication and internal portals), and an HTTP-based session controller; the snapshot includes file hashes and IP/domain IOCs useful for detection and remediation.