Where is the EDR? Sliver C2 running from firewalls

During open-directory threat-hunting researchers discovered exposed Sliver C2 databases and logs revealing an active campaign that exploited FortiWeb appliances (and React2Shell CVE-2025-55182) to deploy Sliver implants, used FRP and a disguised microsocks proxy for lateral/remote access and persistence via systemd/supervisord; the report includes C2 domains/IPs, implant SHA256 hashes, proxy details, and approximately 30 victim hosts across multiple countries.