ReliaQuest has documented OP-512, a China-linked espionage cluster targeting Microsoft IIS web servers with a bespoke web-shell framework - the fourth such group after CL-STA-0048, DragonRank, and GhostRedirector to single out IIS in the past year. The framework uses three web shells that grant remote access while evading signature detection and complicating forensics: each deployment is uniquely generated, access is cryptographically restricted to the attacker, and compromised servers auto-report to centralized management. To hide, the web shells timestomp - scanning surrounding files, computing the median last-modified time, and overwriting their own timestamps to match. ReliaQuest notes close tactical proximity to CL-STA-0048, suggesting a revamped toolset or shared development.