OP-512: New Campaign Targeting IIS with Custom Web Shell

Colleagues, please note: researchers have identified a cluster named OP-512 targeting Microsoft IIS.
ReliaQuest attributes the activity to China. The operators deployed a framework comprising three custom web shells to maintain access and provide automated reporting.
Evasion techniques include timestomping, cryptographic access controls, and per‑install unique generation.
Primary targets are outdated, internet‑facing IIS instances (e.g., Windows Server 2016, .NET 4.0). Attempts at privilege escalation (Potato Suite) and DNS/HTTP-based command-and-control were observed.
Why this matters: the framework is explicitly designed to bypass detections tuned to known clusters — IIS environments should be audited and patched.
What measures will you take to protect IIS?
#cybersecurity #IIS #webshells #threatintelligence


Latest comments
No comments yet.