← All articles

China-linked OP-512 hits Microsoft IIS servers with stealthy custom web shells

ReliaQuest has documented OP-512, a China-linked espionage cluster targeting Microsoft IIS web servers with a bespoke web-shell framework - the fourth such group after CL-STA-0048, DragonRank, and GhostRedirector to single out IIS in the past year. The framework uses three web shells that grant remote access while evading signature detection and complicating forensics: each deployment is uniquely generated, access is cryptographically restricted to the attacker, and compromised servers auto-report to centralized management. To hide, the web shells timestomp - scanning surrounding files, computing the median last-modified time, and overwriting their own timestamps to match. ReliaQuest notes close tactical proximity to CL-STA-0048, suggesting a revamped toolset or shared development.

Check
Hunt IIS servers for unfamiliar web shells, cryptographically-gated access, and timestomped files whose timestamps match the median of surrounding files. Apply ReliaQuest IoCs. Review IIS request logs for anomalous POSTs.
Affected
Internet-facing Microsoft IIS web servers, particularly at organizations aligned with China-linked intelligence priorities. OP-512's uniquely-generated, crypto-gated web shells evade signature detection and timestomp to hide.
Fix
Patch and harden IIS, restrict write access to web roots, and deploy file-integrity monitoring that flags timestomping. Hunt for the three-shell framework and centralized callback traffic per ReliaQuest.