In a recent cybersecurity incident, attackers have exploited publicly available ASP.NET machine keys to infiltrate Windows Internet Information Services (IIS) web servers. These machine keys, intended to secure web applications by encrypting and validating data, were found in public domains such as Microsoft documentation and online forums. This exposure has enabled threat actors to deceive servers into executing malicious code.
The group behind these attacks, identified as REF3927, has been observed installing a malicious module named TOLLBOOTH. This module is designed to hijack web traffic and generate revenue through fraudulent search engine rankings. The campaign is not entirely new; similar tactics were first detected by Microsoft in February 2025, with further details reported by AhnLab in April. Experts believe that the same Chinese-speaking hackers are targeting servers globally, affecting a wide range of organizations from small businesses to large enterprises, without specific targeting criteria.
Elastic Security Labs, in collaboration with the scanning firm Validin, identified over 570 compromised servers across various countries. Notably, none of these infected servers were located in China, suggesting that the attackers may be avoiding domestic targets to evade local law enforcement.
The Malicious TOLLBOOTH Tool
The attack sequence begins with the identification of IIS servers that have insecure configurations, particularly those using ASP.NET machine keys copied from public sources instead of generating unique keys. These machine keys are crucial for securing elements like ViewState, a mechanism that maintains the state of web pages between user interactions. When these keys are publicly accessible, attackers can craft malicious ViewState messages containing harmful code. By sending these messages through standard web requests, they can execute commands on the targeted server.
Upon gaining access, the attackers deploy a web shell derived from the Godzilla tool, specifically a variant known as Z-Godzilla_ekp. This web shell enables them to execute commands, extract passwords, and perform network reconnaissance while disguising their activities as normal web traffic. Attempts to create administrative accounts and utilize tools like Mimikatz to harvest additional credentials have been observed, although some of these efforts were thwarted by security measures such as those implemented by Elastic.
To maintain persistence and evade detection, the attackers have employed a modified rootkit based on an open-source project named Hidden. This rootkit conceals files, processes, and registry entries, making it challenging for traditional security tools to detect the malicious presence.
The primary objective of these intrusions is the deployment of TOLLBOOTH, a sophisticated IIS module that manipulates web content to deceive search engines. TOLLBOOTH serves keyword-rich pages to search engine crawlers like Googlebot, artificially boosting the search rankings of malicious sites. This technique, known as search engine optimization (SEO) poisoning, creates a network of compromised sites that link to each other, further inflating their rankings and driving traffic to fraudulent pages.
Additionally, TOLLBOOTH includes a built-in web shell for file uploads and command execution, along with debugging tools that allow attackers to monitor server health. The module retrieves its configuration from a command-and-control server located at c[.]cseo99.com, storing sensitive information in temporary directories on the compromised machine. In one instance, a team from Texas A&M University detected the intrusion early during managed detection services, preventing a full-scale compromise.
This campaign has impacted servers worldwide, excluding those in China, and has affected various industries, including finance and technology. The attackers employ automated scans to identify servers with weak machine keys, indicating a broad and opportunistic approach.
A significant challenge in mitigating these attacks is the recurrence of infections. Many organizations, after initial remediation efforts, failed to regenerate their machine keys, leaving their servers vulnerable to reinfection. To effectively address this threat, administrators are advised to generate new, unique machine keys within IIS, thoroughly remove any malware, and continuously monitor for unusual web traffic patterns or unauthorized modules.
