Where is the EDR? Sliver C2 running from firewalls

During open-directory threat hunting researchers discovered an active campaign that exploited React2Shell (CVE-2025-55182) and likely other vulnerabilities in outdated FortiWeb appliances to deploy Sliver C2 implants. The actor used FRP and a renamed microsocks binary (cups-lpd) to proxy traffic and attempted persistence via systemd and supervisord; investigators recovered C2 domains and IPs, implant SHA256 hashes, service files, and roughly 30 victim IPs spanning Pakistan, Bangladesh and other countries, indicating targeted operations against edge appliances.