BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

New Chinese Hacker Cluster Targets IIS with Custom Web Shells

Chinese-linked OP-512 deploys custom stealth web shell on IIS servers, complicating detection.

  • A new Chinese-linked threat cluster, OP-512, is deploying a sophisticated custom web shell framework on Microsoft IIS servers to conduct cyber espionage.
  • The group uses advanced techniques like timestomping to alter file timestamps and evade detection, making forensic analysis difficult.
  • This marks the fourth China-aligned group to specifically target IIS web servers in under a year, indicating a focused and ongoing campaign.
  • The bespoke framework is designed for stealth and centralized management, differing from the commodity tools used by similar threat actors.

Cybersecurity firm ReliaQuest has uncovered a previously unreported Chinese cyber espionage group, OP-512, actively targeting Microsoft Internet Information Services (IIS) web servers with a sophisticated custom framework, according to a report shared with The Hacker News. The group’s activities, assessed with moderate to high confidence to be linked to China, focus on intelligence gathering from organizations aligned with Beijing’ s priorities.

- Advertisement -

However, this group stands apart from known Chinese adversaries by using a uniquely generated web shell framework. This framework restricts access through cryptographic controls and employs techniques like timestomping to blend into its environment and complicate forensic timelines.

Consequently, the threat actor gains persistent remote access for file management and command execution. ReliaQuest detailed in its report that the web shells even include an automated self-reporting mechanism to notify the attackers upon successful deployment.

Meanwhile, this discovery highlights a worrying trend, as OP-512 is the fourth China-linked cluster to single out IIS servers in the past twelve months. Other groups like CL-STA-0048, DragonRank, and GhostRedirector have shown similar targeting, with recent campaigns like SHADOW-EARTH-053 also focusing on government and defense sectors in Asia.

The attackers in the observed incident targeted a legacy server running Windows Server 2016 and an end-of-life .NET Framework. After deployment, they attempted privilege escalation to the SYSTEM level using the Potato Suite to gain maximum control over the compromised host.

- Advertisement -

Therefore, defenders are warned that this purpose-built framework is designed to defeat detection methods effective against other clusters. “Organizations that have tuned their defenses to known actors are likely not covered here,” ReliaQuest cautioned.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

WordPress core hit by zero-click RCE bug, patch now live

WordPress patched a pre-authentication remote code execution flaw in versions 6.9.5 and 7.0.2 on...

ECB: Stablecoin growth puts European bank deposits at risk

ECB board member Piero Cipollone warned Friday that stablecoin growth could strip European banks...

Tesla Launches Megacharger Network with Bloomington Station

Tesla opened a new public Megacharger station in Bloomington, California, calling it the start...

Apple Overtakes Nvidia as World’s Most Valuable Public Company

Apple briefly surpassed NVIDIA as the world’s most valuable publicly traded company, hitting an...

Galaxy Digital buys naming rights to Texas Tech stadium in 15-year deal

Galaxy Digital signed a 15-year naming rights deal with Texas Tech, renaming the football...

Must Read

Sushiswap vs Uniswap, What are the differences between these dex?

It's no secret that the world of decentralized exchanges has exploded in recent years. Many of you are probably wondering what the difference is...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading