Homepage News Details
Chinese Cluster OP-512 Targets IIS Servers to Deploy Custom Web Shells
2026-06-06 11:43
Favorite

en.Wedoany.com Reported - Cybersecurity researchers have uncovered a previously unreported threat cluster, OP-512, which targets Microsoft Internet Information Services (IIS) servers to deploy a custom Web Shell framework. Security firm ReliaQuest assesses with medium to high confidence that this espionage-focused campaign is linked to China.

In its report, ReliaQuest noted that OP-512 is highly likely conducting espionage against organizations via compromised IIS Web servers, with the targeted organizations' industries and geographic locations aligning with China's intelligence priorities. Although no overlap has been found between OP-512 and other known China-linked adversaries, it is the fourth threat group specifically targeting IIS Web servers in the past 12 months, following CL-STA-0048, DragonRank, and GhostRedirector. Just last month, Cisco Talos disclosed that multiple Chinese cybercriminal groups share a malware variant called BadIIS to infect IIS servers. IIS servers have also become a target of SHADOW-EARTH-053 as part of a new China-linked espionage campaign targeting government and defense sectors in South Asia, East Asia, and Southeast Asia.

At the core of the OP-512 operation is a custom Web Shell framework comprising three Web Shells, enabling attackers to remotely access compromised hosts while taking measures to evade signature-based detection and deliberately manipulate timestamps during the creation or modification of Web Shell artifacts through techniques such as timestomping, thereby complicating forensic timelines. Specifically, attackers scan every file and subfolder around the Web Shell's location, calculate the median latest modification timestamp, and overwrite their own creation and modification times to match that value, creating the impression that the Web Shell has existed for some time.

ReliaQuest stated that the framework combines capabilities rarely seen together: each deployment is uniquely generated, attacker access is restricted through encrypted controls, and compromised servers automatically report back for large-scale centralized management. OP-512 is tactically very close to CL-STA-0048 and may represent an existing cluster that has completely overhauled its toolset, or a group that independently developed these capabilities. Regardless of its origin, this hacking group operates as a distinct cluster with an autonomous approach.

In observed attacks, the threat actors targeted an outdated IIS server running Windows Server 2016 with the unsupported .NET Framework 4.0. Evidence suggests that the same host had activity approximately 75 days before the main incident, involving DNS queries to the attacker-controlled domain "ashx.lhlsjcb[.]com." A series of actions occurring weeks later were described as a "sprint," where attackers used the Web server's worker process ("w3wp.exe") to place one of the Web Shells into the application's upload directory, triggering a self-reporting mechanism that transmitted the Web Shell's location to the attacker-controlled domain via DNS queries or HTTP requests.

The three Web Shells collectively provide attackers with file management, command execution authenticated through two independent access paths, and automatic reporting of compromised status. After deploying the Web Shells, OP-512 attempted to escalate privileges to the SYSTEM level using the Potato Suite, subsequently running commands such as "whoami /priv" to confirm system privileges.

ReliaQuest noted that it is unlikely a coincidence that four China-linked clusters have targeted the same technology in less than a year. Internet-facing IIS servers running outdated, unsupported software remain a popular entry point in this threat ecosystem, with no signs of slowing down. What defenders should worry about most is what sets OP-512 apart: instead of using common tools and reusing them across multiple campaigns, this threat cluster employs a purpose-built framework designed to defeat detection methods effective against the other three clusters. Organizations that have tailored their defenses based on known actors are likely not adequately covered.

This article is compiled by Wedoany. All AI citations must indicate the source as "Wedoany". If there is any infringement or other issues, please notify us promptly, and we will modify or delete it accordingly. Email: news@wedoany.com

China
Information and CommunicationInformation Security and Data Security Engineering
Previous:Shell and C3 AI Partner to Automate Predictive Maintenance for 30,000 Devices
Next:Linux Foundation Launches Tokenomics Foundation to Address Runaway AI Costs
Related Products
Negotiable
Mining Intelligent Rope-replacement Robot
Zhonggan Group
Negotiable
SIS Safety Instrumentation Solution
Beijing Consen Automation Technology Co., Ltd.
Negotiable
Wireless LAN | AirEngine 5776-56T Access Point
Huawei
Negotiable
GYTA Type Non-Self-Supporting Aerial/Duct Optical Cable
TONGDING INTERCONNECTION INFORMATION CO., LTD.
Negotiable
Industrial and Commercial Point-Type Gas Detector
Jinan Benan Technology Development Co., Ltd.
Negotiable
Intelligent Warehousing
Jiangsu Zhongtian Technology Co., Ltd.
Negotiable
Conveyor Belt Intelligent Monitoring System
LUO YANG WIRE ROPE INSPECTION TECHNOLOGY CO., LTD.
Negotiable
G.652.D Wavelength-extended Non-dispersion Shifted Single-mode Optical Fiber
HONGAN GROUP CO., LTD.
Negotiable
Direct Burial Cable GYHTY53
ETERN GROUP COMPANY LIMITED
Negotiable
QPS-20A Redundant Power Fast Switcher
CHN ENERGY ZHISHEN CONTROL TECHNOLOGY CO., LTD.
Negotiable
Single-mode Fiber G.652B
SHENZHEN SDG INFORMATION CO., LTD.
Negotiable
Intelligent Manufacturing
DONGFANG ELECTRIC CORPORATION
Related Recommendations
France's Macron Attracts Hundreds of Billions of Euros in AI Computing Capital at Choose France Summit
2026-06-06
China's Smartisan Software's Luo Yonghao Resigns as Executive Director
2026-06-06
Uruguay's Antel Completes Fiber Optic Coverage for Towns Over 1,000 People, Strengthening National Digital Foundation
2026-06-06
Brazil promotes China's SpaceSail LEO satellite entry to expand internet coverage in remote areas
2026-06-06
China's Haier Unveils Three AI Companion Robots at Shanghai Senior Care Expo
2026-06-06
Veeva Summit in Denmark Showcases Falcon Platform and Vault AI Plans
2026-06-06
Sanofi and Owkin Expand AI Collaboration to Build Drug Development Agents
2026-06-06
India's Bharti Airtel Launches First Commercial 5G Slicing Service to Enhance Peak Network Experience
2026-06-06
Hensoldt and Others Advance Eurofighter Typhoon Mk.1 Radar Airborne Trials
2026-06-06
Liberty Costa Rica Partners with Ericsson to Deploy Energy-Efficient 5G Network, Enhancing National Coverage
2026-06-06
Lastest Bulletin
1
France's Macron Attracts Hundreds of Billions of Euros in AI Computing Capital at Choose France Summit
2
China's Energy Equipment Exports Drive Project Cargo Growth
3
MarinaVela in Barcelona, Spain, Granted IPR License for VAT and Duty Exemption
4
MSC's JADE Service Makes Maiden Call at Nansha Port Area in China
5
China's Railway Transports Over 75 Million Tons of Grain, Cotton, and Fertilizer in First Five Months of This Year
6
China Machinery Industry Skills Competition 2025 Summary and 2026 Launch Meeting Held in Xuzhou
7
Direct Qinghai-Vietnam Freight Train Launched, Transit Time Cut to 4 Days
8
Mexicana de Aviación Launches 15th Destination: AIFA to Acapulco Route
9
China's Hengli Heavy Industry Sets Global Record with Two 306,000 DWT VLCCs Delivered on Same Day
10
MSST Establishes Joint Venture in Singapore to Activate Existing Vessel