A classy cyberattack marketing campaign focusing on Microsoft Web Info Providers (IIS) servers has emerged, exploiting decades-old safety vulnerabilities to deploy malicious modules that allow distant command execution and SEO fraud.
The operation, which got here to mild in late August and early September 2025, leverages publicly uncovered ASP.NET machine keys to compromise servers worldwide, affecting roughly 240 server IP addresses and 280 domains throughout various sectors together with authorities businesses, small companies, and e-commerce platforms.
The attackers exploit a essential weak spot in ASP.NET viewstate deserialization by using machine keys which were publicly accessible since 2003.
These cryptographic secrets and techniques, initially revealed in a Microsoft Developer Community assist web page as configuration examples, had been inadvertently adopted by numerous directors who applied them verbatim in manufacturing environments.
Microsoft had beforehand recognized over 3,000 such uncovered machine keys in code repositories and programming boards, creating a considerable pool of susceptible targets.
As soon as attackers receive these keys, they’ll manipulate viewstate information to execute arbitrary code on focused servers with out requiring any extra credentials.
HarfangLab analysts recognized the malicious module, designated HijackServer, throughout routine safety monitoring of compromised IIS servers.
The an infection chain demonstrates appreciable sophistication, starting with preliminary exploitation by way of POST requests focusing on ASP.NET purposes.
Logs from compromised techniques revealed a number of suspicious requests with Chinese language language settings (zh-tw) hitting root pages of susceptible purposes.
The attackers subsequently deployed a complete toolkit archived as sys-tw-v1.6.1-clean-log.zip, containing 32-bit and 64-bit variants of the malicious IIS modules, set up scripts, and a custom-made rootkit derived from the open-source Hidden undertaking.
Google web optimization outcomes (Supply – Harfanglab)
Following preliminary entry, menace actors employed privilege escalation strategies often known as EfsPotato and DeadPotato to create hidden native administrator accounts.
They then put in two malicious DLL information, scripts.dll and caches.dll, as IIS modules named ScriptsModule and IsapiCachesModule respectively.
These modules function on the earliest processing stage of HTTP requests, intercepting visitors earlier than authentic purposes can reply.
The set up course of included establishing a working listing at C:WindowsTemp_FAB234CD3-09434-8898D-BFFC-4E23123DF2C and configuring the modules to obtain extra elements from staging servers at c.cseo99[.]com and f.fseo99[.]com.
Persistence and Detection Evasion By means of Rootkit Deployment
The attackers demonstrated superior operational safety consciousness by deploying a custom-made Home windows kernel driver rootkit to hide their presence.
The Wingtb.sys driver, a modified model of the publicly accessible Hidden rootkit, operates as a signed kernel part utilizing an expired certificates from Anneng Digital Co. Ltd.
Regardless of the certificates’s expiration in 2014, it stays loadable on trendy Home windows techniques because of Microsoft’s driver signing coverage exceptions for certificates issued earlier than July 2015.
The rootkit offers complete hiding capabilities for information, registry keys, and processes, managed by way of a companion command-line instrument WingtbCLI.exe with instructions translated into Chinese language transliteration.
The post-installation script lock.bat systematically conceals essential artifacts together with the deployed IIS module information, modified utility configuration information, and the rootkit’s registry service key.
Maybe most notably, the script executes a sweeping deletion of all Home windows Occasion log information utilizing the command: for /f “tokens=*” %%1 in (‘wevtutil el’) do wevtutil cl “%%1”.
This noisy anti-forensics method contradicts the in any other case stealthy strategy of utilizing a rootkit, probably indicating operational safety inconsistencies or the work of much less skilled operators deploying pre-packaged instruments.
The HijackServer module’s major function seems targeted on SEO fraud for cryptocurrency funding schemes.
When Google’s internet crawler requests pages from compromised servers, the module dynamically generates HTML content material containing quite a few hyperlinks to doubtful cryptocurrency web sites.
These generated pages efficiently seem in authentic Google search outcomes, demonstrating the effectiveness of the poisoning method.
Nevertheless, the module additionally exposes an unauthenticated distant command execution functionality by way of the /scjg URL path, making a persistent backdoor that any third get together might exploit no matter whether or not they coordinated with the unique attackers.
This performance transforms what may seem as financially motivated web optimization fraud into a much more critical safety compromise with potential espionage implications.
Observe us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most popular Supply in Google.
