Emerging Threat Cluster OP-512 Exploits Microsoft IIS Servers with Custom Web Shells
Cybersecurity researchers have identified a new threat cluster, designated OP-512, actively targeting Microsoft Internet Information Services (IIS) servers to deploy a sophisticated web shell framework. This activity is assessed with moderate to high confidence to be linked to China, indicating a focus on cyber espionage.
ReliaQuest, the cybersecurity firm that uncovered OP-512, reported that the group likely conducts espionage through compromised IIS web servers belonging to organizations whose sectors and locations align with China’s intelligence priorities. Although OP-512 does not overlap with other known China-aligned adversaries, it is the fourth such group in the past year to target IIS servers, following CL-STA-0048, DragonRank, and GhostRedirector. Notably, Cisco Talos recently revealed that multiple Chinese-speaking cybercrime groups are sharing a variant of malware called BadIIS to infect IIS servers.
The OP-512 operation centers around a custom web shell framework comprising three distinct web shells. These tools grant attackers remote access to compromised hosts while employing advanced techniques to evade detection and complicate forensic analysis. One such technique is timestomping, where the attackers manipulate the creation and modification timestamps of the web shell files to blend them with existing files, making them appear as longstanding components of the system.
This framework exhibits capabilities rarely seen together: each deployment is uniquely generated, access is restricted to the attacker through cryptographic controls, and compromised servers automatically report back for centralized management at scale. These features suggest a high level of sophistication and operational security within the OP-512 group.
In the observed attack, OP-512 targeted a legacy IIS server running Windows Server 2016 with an outdated .NET Framework 4.0. Evidence indicates prior activity on the same host approximately 75 days before the main incident, involving DNS queries to a different attacker-controlled domain. The subsequent attack unfolded rapidly, with the attacker using the web server’s worker process to deploy one of the web shells into the application’s upload directory. This action triggered a self-reporting mechanism that transmitted the web shell’s location to an attacker-controlled domain via DNS query or HTTP request.
The three web shells collectively provided the attacker with file management capabilities, authenticated command execution through two independent access paths, and automated reporting of the compromise. This multi-faceted approach underscores the threat actor’s ability to establish and maintain persistent access to targeted systems.
The emergence of OP-512 highlights the evolving landscape of cyber threats, particularly those targeting critical infrastructure components like IIS servers. Organizations are urged to implement robust security measures, including regular system updates, monitoring for unusual activity, and employing advanced threat detection solutions to mitigate the risks posed by such sophisticated adversaries.
