Chinese Threat Group OP 512 Strikes Legacy IIS Servers With Custom Web Shell Arsenal

Attack Profile and Identified Actor

A newly discovered threat group, designated OP 512, has been observed targeting Internet Information Services (IIS) web servers with a sophisticated, custom-built web shell framework. Security researchers at ReliaQuest identified the cluster after their artificial intelligence system correlated a series of seemingly unrelated suspicious events into a single high priority incident. The group is assessed with moderate to high confidence to be a previously undocumented actor with suspected ties to Chinese state aligned intelligence priorities, based on the targeted organization’s sector and geographic profile.

Contents

Attack Profile and Identified Actor Technical Execution and Detection Challenges

The operation demonstrates notable patience and precision. Investigators found that the attacker first gained access to the target server 75 days before the main intrusion was executed. Rather than acting immediately, the actor waited, then returned to deploy its full toolkit within hours. This behavior is consistent with state sponsored espionage campaigns where stealth and careful planning are paramount.

Technical Execution and Detection Challenges

At the core of the attack is a custom web shell framework comprising three malicious files that grant attackers remote access through a web browser. Each deployment is cryptographically unique, generating a completely different file fingerprint for every installation. This design defeats traditional signature based detection tools, which rely on matching known file hashes or patterns. The compromised server was running Windows Server 2016 with a .NET Framework version that has not received security updates since 2016, illustrating how outdated, internet facing infrastructure remains a prime entry point for espionage.

Once inside the server, the attacker moved quickly to establish control. The web server’s worker process wrote the first web shell to an upload directory, a .aspx file manager that provided persistent backdoor access. OP 512 is at least the fourth China linked cluster documented targeting legacy IIS servers in the past year, confirming that such systems are a preferred attack surface for intelligence gathering operations.

Source: Cyber Security News

Chinese Threat Group OP 512 Strikes Legacy IIS Servers With Custom Web Shell Arsenal

Researchers discovered that the attacker waited 75 days after initial access before deploying a custom web shell framework designed to evade all signature based detection methods.

Attack Profile and Identified Actor

Technical Execution and Detection Challenges

Trending

Fake Microsoft Login Popup Campaign Uses Deceptive Browser in Browser Trick

Assistive AI Agents in Microsoft 365 Pose Stealth Identity Risk

MagicAd Android Trojan Uses Translucent Overlays to Bypass Ad Permissions

Russia Aligned Hackers Exploit WinRAR Bug to Infiltrate Ukrainian Systems

Poisoned PyPI Packages Deploy Bun Runtime to Steal Developer Credentials

Related Stories

Google Expands Scope of Salesloft Drift Breach, Warns OAuth Token Theft Reached Google Workspace Emails

Agentic AI in Defense Networks Requires Secure Infrastructure to Unlock Full Potential

Phishing Attack Tricks Signal Users Into Handing Over Backup Keys

Microsoft AI Hunting System Unearths 16 Security Flaws in Windows