A recently uncovered threat group, suspected to be linked to China, has been attacking Internet Information Services (IIS) web servers utilizing a specially crafted web shell framework. Known as OP-512, this group is notable for deploying tools that evade detection methods typically effective against similar state-affiliated actors. This discovery highlights an ongoing trend of state-sponsored espionage targeting outdated server infrastructure.
OP-512’s Strategic Approach
What sets OP-512 apart is its methodical approach. Investigators discovered that the attackers initially accessed the targeted server 75 days prior to the main breach. Instead of acting immediately, they opted for a delayed attack, returning to execute their full array of tools within hours, a tactic often seen in state-sponsored operations.
ReliaQuest analysts identified this new cluster through their Agentic AI system, which aggregated seemingly unrelated suspicious activities into a single high-priority incident. Subsequent analysis confirmed the findings, with the targeted organization’s sector and location aligning with Chinese intelligence interests, reinforcing the attribution to OP-512.
Innovative Web Shell Framework
The core of OP-512’s operation is a unique web shell framework composed of three malicious files granting remote access through a web browser. Each deployment is cryptographically unique, rendering traditional signature-based detection tools ineffective. This ensures that every installation bears a distinct file fingerprint, complicating defense efforts.
The compromised server was running on Windows Server 2016 with an outdated .NET Framework, a recurring target for China-linked clusters. OP-512 is the fourth such group documented targeting legacy IIS servers, emphasizing the vulnerability of outdated, internet-facing systems to espionage.
Methods of Exploitation and Persistence
Upon gaining access, OP-512 swiftly established control. The server’s worker process initially deployed a web shell to an upload directory, a .aspx file manager with an integrated command-and-control notification channel. Within seconds, it encoded its own URL, transmitting it through both a DNS query and an HTTP request to a backup server linked to known infrastructure.
Two additional .ashx command handler files were introduced to the same directory, each with a different cryptographic key, ensuring that compromising one wouldn’t grant access through the other. This system ensures each web shell is unique and self-reporting, allowing attackers to maintain oversight without active involvement.
Further complicating detection, OP-512 utilized timestomping, altering file timestamps to appear legitimate. This tactic undermines standard forensic techniques, as files planted in 2026 seemed to have existed since 2022.
Recommendations for Defense
With web shells in place, OP-512 employed four exploitation toolkits directly into the server’s memory, leaving no traces on disk. Despite endpoint protection terminating the malicious process, IIS automatically restarted worker processes, allowing the attack to persist. This highlights a critical gap where stopping a process without isolating the host only delays the intrusion.
Security experts advise decommissioning or isolating internet-facing servers running unsupported .NET frameworks immediately. Organizations should also disable script execution in upload directories, monitor unexpected file creation in ASP.NET compilation directories, and implement web application firewall rules. It is crucial not to close an incident until the entry point is identified and secured, as removing web shells alone does not resolve the underlying issue.
