A sophisticated three-part web shell framework, linked to Chinese threat actors and tracked as OP-512, is actively compromising Internet Information Services (IIS) servers, according to research published by ReliaQuest on June 5, 2026. The custom malware suite marks a significant escalation in the targeting of Windows-based web infrastructure, granting attackers persistent remote access, lateral movement capabilities, and the ability to harvest credentials from enterprise environments.

ReliaQuest’s threat intelligence team uncovered the campaign after responding to multiple intrusions at North American and European organizations in the technology, manufacturing, and government sectors. The attacks exploited servers running Windows Server 2016 and later versions with poorly secured IIS deployments, often leveraging known vulnerabilities in publicly exposed web applications to deploy the initial web shell. Once established, the modular framework allowed operators to blend into legitimate IIS traffic, making detection with traditional network monitoring difficult.

Anatomy of the Three-Part Web Shell

The OP-512 framework stands out for its multi-component architecture, a design that separates command-and-control (C2) logic, execution, and stealth into distinct modules. This segmentation not only complicates analysis but also enables attackers to update or replace individual pieces without disturbing active implants.

The first component is a lightweight stager, typically a single ASPX file uploaded to a compromised IIS directory. Written in C# and heavily obfuscated with base64 encoding and custom XOR routines, the stager reaches out to a hardcoded C2 domain to fetch the second-stage payload—a fully capable command shell. This stager validates its environment by checking for the presence of PowerShell, wscript, and common antivirus processes before proceeding, self-terminating if analysis tools are detected.

The second stage, the core web shell, provides an interactive command interface accessible through HTTP GET and POST requests. It supports a wide range of operations: file upload/download, directory traversal, process listing, and registry manipulation. Unlike simpler web shells, the OP-512 core uses forged “X-Forwarded-For” headers and cookie-based authentication tokens to restrict access solely to the operators, locking out scanners and rival attackers. The shell also proxies native Windows commands through cmd.exe and PowerShell, leveraging living-off-the-land binaries to avoid triggering endpoint security.

The third piece is a post-exploitation agent written in .NET that persists through scheduled tasks and WMI event subscriptions. It collects system metadata, cached credentials from LSASS, and browser-stored passwords, then exfiltrates them over DNS or HTTPS tunnels. The modular design means that if the primary web shell is discovered, the persistence agent can still maintain foothold and even redeploy the stager from a backup inline script embedded in an IIS module.

China Nexus and Attribution Clues

ReliaQuest attributes OP-512 with moderate confidence to a previously unidentified China-based threat group, based on overlapping tactics, techniques, and procedures (TTPs) with known clusters like APT41 and the smaller-scale Hafnium. Several indicators point to a Chinese nexus:

  • The C2 infrastructure relies on domains registered with Chinese registrars and name servers, and command timing aligns with the UTC+8 workday.
  • Debug strings in the malware contain simplified Chinese characters in error messages and function comments.
  • Target selection mirrors Chinese intelligence collection priorities—intellectual property, supply chain data, and government network access.
  • The three-part web shell pattern resembles “China Chopper” and the more recent “Godzilla” variants but adds the persistence agent and sophisticated anti-forensic features.

Unlike high-profile ransomware groups, OP-512’s operators appear focused on espionage and credential theft, maintaining long-term access without immediate data encryption or extortion. The use of custom tooling rather than commodity malware suggests a well-resourced group, possibly a contractor for the Chinese Ministry of State Security or the People’s Liberation Army.

Real-World Impact on Windows Server Administrators

For organizations running IIS, the OP-512 campaign is a stark reminder that web servers remain prime targets. The framework exploits common configuration weaknesses: default application pools running with excessive privileges, unpatched IIS extensions, and insufficient input validation on file upload forms. In one documented incident, attackers used a SQL injection flaw in an outdated SharePoint web part to write the initial stager to disk, then escalated to full domain control within 48 hours.

“What makes this particularly dangerous is how well the tooling mimics legitimate IIS traffic,” said Michael Pedrick, VP of Threat Intelligence at ReliaQuest, in the report. “The web shell uses standard HTTP methods and cookie values that blend right in. Many organizations wouldn’t even flag it unless they’re doing deep packet inspection or have specialized web application firewalls.”

The credential scraping capabilities threaten the entire Windows domain, because harvested LSASS memory can yield plaintext passwords, Kerberos tickets, and NTLM hashes for lateral movement. Once attackers possess Domain Admin credentials, they can compromise Exchange, SQL servers, and cloud sync tools—turning a single web server breach into a full network catastrophe.

Detection and Mitigation Strategies

Defenders should act on multiple fronts to counter OP-512 and similar threats. Because the initial access vector is often a web application vulnerability, rigorous patch management is non-negotiable. Prioritize patches for IIS extensions like .NET remoting, WebDAV, and the recently exploited HTTP Protocol Stack (CVE-2025-xxxx) that could allow remote code execution without authentication.

File System Monitoring

Monitor IIS directories—especially C:\inetpub\wwwroot and custom application paths—for new or modified files. The OP-512 stager typically appears as an ASPX file with names resembling existing legitimate files (e.g., web.config.aspx or Global.asax.resx). Use file integrity monitoring to spot anomalies and set up tripwires on any write operations to these folders. Any ASPX file containing a large base64 blob or obfuscated JavaScript should be investigated immediately.

Web Log Analysis

Analyze IIS logs for unusual patterns: sudden spikes in POST requests to rarely accessed pages, requests with empty or malformed user-agent strings, or excessive “X-Forwarded-For” headers that try to spoof source IPs. The OP-512 core shell uses a specific cookie format—often a long base64 string in a cookie named “token” or “sid”—that can be hunting indicators.

Endpoint and Network Detection

Deploy EDR solutions that can detect suspicious process creation from w3wp.exe (the IIS worker process). The web shell spawns cmd.exe and PowerShell for command execution, so rules monitoring for w3wp.exe launching child processes with network connections can catch it. On the network side, scrutinize outbound DNS TXT queries and HTTPS traffic with unusual certificate attributes—the persistence agent leverages DNS tunneling in fallback mode.

Hardening IIS

Reduce the attack surface by:

  • Running application pools under least-privilege service accounts, not LocalSystem.
  • Disabling unused IIS modules and ISAPI extensions.
  • Setting up a Web Application Firewall (WAF) with rules against file upload attacks and command injection.
  • Restricting outbound internet access from web servers to necessary endpoints only; the stager needs to reach arbitrary C2 domains, so default-deny firewall policies can break the kill chain.

Credential Protection

Enable Windows Defender Credential Guard and Use Managed Service Accounts to isolate sensitive credentials from LSASS. The OP-512 agent specifically dumps memory from lsass.exe, so these mitigations force attackers to rely on less reliable methods. Also, mandate multi-factor authentication for all privileged accounts to limit the impact of any stolen hashes.

Industry Reaction and Looking Ahead

Since ReliaQuest’s disclosure, Microsoft’s Detection and Response Team (DART) has issued a security advisory encouraging IIS customers to apply the June 2026 cumulative updates, which include additional logging for unauthorized IIS module installations. The Cybersecurity and Infrastructure Security Agency (CISA) added the OP-512 TTPs to its Known Exploited Vulnerabilities catalog, ordering federal agencies to implement the recommended mitigations within 14 days.

Several security vendors have released updated signatures; CrowdStrike, SentinelOne, and Microsoft Defender can now detect the stager and core shell based on the obfuscation patterns and C2 communication templates. However, because the framework can be easily recompiled with different strings and encryption keys, defenders should not rely solely on hash-based detection.

The emergence of OP-512 underscores a broader trend: as organizations harden email and endpoint security, attackers pivot to internet-facing servers that often lack the same level of monitoring. IIS has long been a soft target, and China’s focus on supply chain and intellectual property theft ensures it will remain so. “Web shells are the ultimate backdoor,” Pedrick noted. “They’re small, they use the very protocols you have to allow, and once they’re in, you may never know.”

For the immediate term, ReliaQuest recommends that organizations run a thorough search of all IIS servers for the indicators of compromise detailed in its report, available on the company’s threat research portal. Meanwhile, the OP-512 cluster is expected to evolve: researchers have already identified an updated version that embeds the stager in encrypted web.config sections and communicates via legitimate cloud services like Microsoft Graph API to mask C2 traffic.

The battle between web server defenders and Chinese APT groups continues, but with improved logging, credential protection, and a zero-trust approach to web infrastructure, the odds can be tilted back in favor of the good guys.