ReliaQuest has documented OP-512, a China-linked espionage cluster targeting Microsoft IIS web servers with a bespoke web-shell framework - the fourth such group after CL-STA-0048, DragonRank, and GhostRedirector to single out IIS in the past year. The framework uses three web shells that grant remote access while evading signature detection and complicating forensics: each deployment is uniquely generated, access is cryptographically restricted to the attacker, and compromised servers auto-report to centralized management. To hide, the web shells timestomp - scanning surrounding files, computing the median last-modified time, and overwriting their own timestamps to match. ReliaQuest notes close tactical proximity to CL-STA-0048, suggesting a revamped toolset or shared development.
Russian security firm Positive Technologies attributed an ongoing intrusion campaign to PhantomCore, a pro-Ukrainian group also tracked as Head Mare, Rainbow Hyena, and UNG0901. The group is chaining three TrueConf video-conferencing vulnerabilities (patched by the vendor August 27, 2025) to bypass authentication and run commands on TrueConf servers in Russian organizations. After break-in, they drop a PHP web shell, create a rogue user named 'TrueConf2' with admin rights on the conferencing server, and pivot into the wider network using tools including Velociraptor, Memprocfs, DumpIt, and custom backdoors MacTunnelRAT and PhantomSscp. First attacks observed mid-September 2025.
A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows attackers to upload arbitrary files - including PHP web shells - without any authentication. Over 800,000 WordPress sites use Ninja Forms, and the File Uploads extension is one of its most popular premium add-ons. Successful exploitation gives an attacker full code execution on the web server. No user interaction required - just a crafted request to the file upload endpoint.