News

New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework

By Nina Kowalski · Cybersecurity Correspondent 9h ago

Researchers at ReliaQuest have identified OP-512, a previously unknown threat cluster assessed with moderate to high confidence as operating from China. The group targets Microsoft Internet Information Services (IIS) servers worldwide to deploy custom web shell frameworks designed for espionage operations.

OP-512 focuses on establishing persistent access to IIS infrastructure, likely in organizations running outdated or unpatched server instances. Web shells allow attackers to execute arbitrary commands on compromised systems, maintain backdoor access, and exfiltrate sensitive data without requiring traditional malware deployment. The custom framework suggests the group possesses moderate-to-advanced development capabilities tailored specifically for IIS environments.

The threat cluster's espionage focus indicates targeting of government, defense, technology, or critical infrastructure sectors where intelligence gathering on operations, communications, or intellectual property delivers strategic value. Organizations running IIS servers face direct risk. Unpatched systems running vulnerable IIS versions present the highest exposure surface. The custom web shell framework means detection signatures from other campaigns may not apply, complicating threat hunting and incident response efforts.

ReliaQuest's assessment linking OP-512 to Chinese operations aligns with historical patterns of state-sponsored groups conducting long-term infrastructure reconnaissance and data harvesting operations. The choice of IIS as a target reflects its continued prevalence in enterprise Windows environments, particularly in organizations with legacy infrastructure dependencies.

Organizations operating IIS servers should immediately audit web server logs for anomalous authentication patterns, unusual HTTP requests, or access to suspicious file paths. Patching IIS instances to current versions removes known attack vectors. Network segmentation isolating web servers from sensitive internal systems limits lateral movement if compromise occurs. Web application firewalls configured to block known web shell signatures and command patterns provide additional detection layers.

The discovery of OP-512 demonstrates the persistent targeting of widely-deployed but sometimes overlooked server technologies. Custom web

Key facts

Researchers at ReliaQuest have identified OP-512, a previously unknown threat cluster assessed with moderate to high confidence as operating from China.
The group targets Microsoft Internet Information Services (IIS) servers worldwide to deploy custom web shell frameworks designed for espionage operations.
OP-512 focuses on establishing persistent access to IIS infrastructure, likely in organizations running outdated or unpatched server instances.
Web shells allow attackers to execute arbitrary commands on compromised systems, maintain backdoor access, and exfiltrate sensitive data without requiring traditional malware deployment.

Why it matters

This general story is part of CyberWireDaily's daily monitoring of sources, companies, institutions, and trends shaping security breaches, threats & cyber news.

Source context

This article summarizes and contextualizes reporting from The Hacker News. The visible original source link is retained so readers can review the primary report directly.

New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework

Key facts

Why it matters

Source context

Related reading

IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks

Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites

CISA Admin Leaked AWS GovCloud Keys on Github

Get Daily CyberWireDaily