Cybersecurity researchers have identified a previously unreported threat cluster called OP-512 that targeted Microsoft Internet Information Services servers to deploy a custom web shell framework, with ReliaQuest assessing with moderate to high confidence that the espionage activity is linked to China.
KEY FACTS
- Target Internet Information Services servers running legacy software.
- Payload A bespoke framework made up of three web shells.
- Defense evasion The tools used timestomping to alter file timestamps.
- Access control The framework used cryptographic controls and self-reporting features.
A technical analysis from ReliaQuest said OP-512 likely conducted espionage through a compromised IIS web server at an organization whose sector and geography matched China-linked intelligence priorities. The company said it found no overlaps with other known China-aligned adversaries.
The report said OP-512 was the fourth threat group in the past 12 months to single out IIS web servers, following CL-STA-0048, DragonRank and GhostRedirector. Cisco Talos last month disclosed that multiple Chinese-speaking cybercrime groups were sharing a variant of BadIIS to infect IIS servers.
ReliaQuest said the group used a custom web shell framework with three shells that allowed remote access, file management and authenticated command execution. The tools were designed to evade signature-based detection, while timestomping was used to make the artifacts appear older by matching nearby file timestamps.
In the incident described, the attacker targeted a legacy IIS server running Windows Server 2016 with end-of-life .NET Framework 4.0. The activity included earlier DNS queries to an attacker-controlled domain about 75 days before the main incident, then later use of the web server’s worker process to drop a shell into an upload directory and report its location back through DNS or HTTP.
The report also said the attacker tried to raise privileges to SYSTEM using the Potato Suite and ran commands such as whoami /priv to verify access. ReliaQuest said the framework combined unique deployment, cryptographic access restrictions and automated reporting to support centralized management at scale.
WHY IT MATTERS
The findings show that legacy IIS servers remain a recurring target for espionage groups and cybercrime teams that want a foothold on internet-facing systems. Organizations running unsupported software may face tools built to evade defenses tuned to known threats.