Cybersecurity researchers at **ReliaQuest** have uncovered a new threat cluster, **OP-512**, which stands for "opponent," actively targeting **Microsoft Internet Information Services (IIS)** servers. This group is deploying a highly customized web shell framework in what is believed to be an espionage campaign. **ReliaQuest** has linked **OP-512** to China with moderate to high confidence, noting that the targets' sectors and geographies align with known Chinese intelligence objectives. This marks the fourth China-aligned threat group observed targeting **IIS** web servers in the past year alone. ### A Growing Trend: IIS as a Primary Target **OP-512**'s emergence underscores a broader trend. Other China-linked adversaries, including **CL-STA-0048**, **DragonRank**, and **GhostRedirector**, have also focused on **IIS** servers. Last month, **Cisco Talos** revealed that multiple Chinese-speaking cybercrime groups are even sharing a variant of malware known as **BadIIS** to compromise these servers. Furthermore, **SHADOW-EARTH-053** has been observed targeting government and defense sectors across South, East, and Southeast Asia using **IIS** exploits. ### The Custom Web Shell Framework Central to **OP-512**'s operations is a bespoke web shell framework comprising three distinct web shells. This framework provides attackers with remote access to compromised hosts while employing sophisticated techniques to evade detection and hinder forensic analysis. One notable evasion technique is **timestomping** (**MITRE ATT&CK T1099**). The attackers manipulate the creation and modification timestamps of their web shell artifacts. They do this by scanning surrounding files and sub-folders, calculating the median last-modified timestamp, and then overwriting their own timestamps to match this value. This makes the web shells appear to have been present on the system for a longer duration, complicating forensic timelines.  **ReliaQuest** highlights the framework's advanced capabilities: "This framework combines capabilities we rarely see together: each deployment is uniquely generated, access is restricted to the attacker through cryptographic controls, and compromised servers automatically report back for centralized management at scale." ### Attack Chain Details In an attack observed by **ReliaQuest**, **OP-512** targeted a legacy **IIS** server running **Windows Server 2016** with an end-of-life **.NET Framework 4.0**. Evidence suggests prior reconnaissance activity approximately 75 days before the main incident, involving DNS queries to a different attacker-controlled domain. The subsequent attack unfolded rapidly, described as a "sprint." The attacker leveraged the web server's worker process (`w3wp.exe`) to drop one of the web shells into the application's upload directory. This action triggered a self-reporting mechanism, using either a DNS query or an HTTP request as a fallback, to transmit the web shell's location to an attacker-controlled domain. "Together, the three web shells gave the attacker file management, authenticated command execution through two independent access paths, and automated reporting of the compromise, all before anyone had time to respond," **ReliaQuest** researchers explained. Following deployment, **OP-512** attempted to escalate privileges to the `SYSTEM` level using the **Potato Suite** of tools. They then executed commands like `whoami /priv` to confirm their elevated system rights. ### Implications for Defenders **ReliaQuest** warns that the consistent targeting of **IIS** servers by multiple China-linked groups is no coincidence. "Internet-facing **IIS** servers running legacy, unsupported software remain a preferred entry point across this threat ecosystem and show no signs of slowing down." What makes **OP-512** particularly concerning is its unique tooling. Unlike other groups that might reuse commodity tools, **OP-512** employs a purpose-built framework designed to bypass detection methods effective against other clusters. Organizations that have optimized their defenses against known actors may find themselves vulnerable to **OP-512**'s novel approach.