Key Point: OP-512 is the fourth China-linked group in 12 months to attack IIS servers, employing three proprietary web shells with cryptographic controls and automated callback functionality.
Cybersecurity firm ReliaQuest has identified the espionage group OP-512, which is deliberately targeting Microsoft IIS web servers and deploying a custom web shell framework with timestomping capabilities. The attackers are attributed with high confidence to Chinese intelligence services.
ReliaQuest attributes the espionage activities of group OP-512 with medium to high confidence to state-sponsored Chinese actors. The company documented that OP-512 compromised an IIS web server at an organization whose sector and geographic location align with known Chinese intelligence targets. OP-512 is the fourth known espionage group with suspected China-nexus within twelve months that deliberately targets IIS infrastructure — alongside clusters CL-STA-0048, DragonRank, and GhostRedirector.
The centerpiece of the operations is a proprietary malware framework consisting of three specific web shells that grant the attackers persistent remote access to compromised systems. To evade signature-based detection and hinder forensic analysis, OP-512 employs timestomping: the malware scans all files and subfolders at the deployment location, calculates the median of the last modification date, and overwrites its own timestamps accordingly. ReliaQuest observed that each deployment of the framework is uniquely generated, access is restricted to the attackers through cryptographic controls, and compromised servers automatically register with a centralized management infrastructure.
In a documented attack, the group targeted an outdated IIS server running Windows Server 2016 with the no-longer-supported .NET Framework 4.0. The attackers leveraged the legitimate IIS worker process w3wp.exe to place a web shell in the application’s upload directory. Immediately thereafter, the system triggered an automated callback mechanism that transmitted the exact path of the web shell via DNS query or HTTP request to a server controlled by OP-512 — before defenders could respond.
The three web shells of the framework collectively provided the attacker with file management capabilities, authenticated command execution via two independent access paths, and automated callback reporting. Following successful placement, OP-512 attempted to escalate system privileges to SYSTEM level using the so-called Potato Suite, which was subsequently verified with the whoami /priv command.
Source: www.it-daily.net · Published 17 June 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.