- A new Chinese-linked threat cluster, OP-512, is deploying a sophisticated custom web shell framework on Microsoft IIS servers to conduct cyber espionage.
- The group uses advanced techniques like timestomping to alter file timestamps and evade detection, making forensic analysis difficult.
- This marks the fourth China-aligned group to specifically target IIS web servers in under a year, indicating a focused and ongoing campaign.
- The bespoke framework is designed for stealth and centralized management, differing from the commodity tools used by similar threat actors.
Cybersecurity firm ReliaQuest has uncovered a previously unreported Chinese cyber espionage group, OP-512, actively targeting Microsoft Internet Information Services (IIS) web servers with a sophisticated custom framework, according to a report shared with The Hacker News. The group’s activities, assessed with moderate to high confidence to be linked to China, focus on intelligence gathering from organizations aligned with Beijing’ s priorities.
However, this group stands apart from known Chinese adversaries by using a uniquely generated web shell framework. This framework restricts access through cryptographic controls and employs techniques like timestomping to blend into its environment and complicate forensic timelines.
Consequently, the threat actor gains persistent remote access for file management and command execution. ReliaQuest detailed in its report that the web shells even include an automated self-reporting mechanism to notify the attackers upon successful deployment.
Meanwhile, this discovery highlights a worrying trend, as OP-512 is the fourth China-linked cluster to single out IIS servers in the past twelve months. Other groups like CL-STA-0048, DragonRank, and GhostRedirector have shown similar targeting, with recent campaigns like SHADOW-EARTH-053 also focusing on government and defense sectors in Asia.
The attackers in the observed incident targeted a legacy server running Windows Server 2016 and an end-of-life .NET Framework. After deployment, they attempted privilege escalation to the SYSTEM level using the Potato Suite to gain maximum control over the compromised host.
Therefore, defenders are warned that this purpose-built framework is designed to defeat detection methods effective against other clusters. “Organizations that have tuned their defenses to known actors are likely not covered here,” ReliaQuest cautioned.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
