ReliaQuest has disclosed a previously unknown threat cluster designated OP-512, targeting Microsoft Internet Information Services (IIS) servers. The group uses a custom framework of three web shells that provide remote access, file management and automatic notification of the attackers about new compromises. The primary goal is espionage. Organizations running legacy versions of IIS on unsupported software — in particular Windows Server 2016 with .NET Framework 4.0 — are at the highest risk.
Technical details of the framework
The core of OP-512 operations is a custom framework that includes three web shells with separated functions. According to the researchers, together they provide:
- File management on the compromised host
- Authenticated command execution via two independent access paths
- Automatic notification to the attacker’s infrastructure when a compromise occurs
Each deployment is reportedly generated uniquely, and access to the web shells is restricted by cryptographic controls — only the operator can interact with the installed components. Compromised servers automatically “report” to a centralized command infrastructure, which enables operations to be scaled.
Timeline of the observed attack
In the documented incident, the target was a legacy IIS server running on Windows Server 2016 with .NET Framework 4.0, which no longer receives security updates. Approximately 75 days before the main incident, DNS queries to a domain controlled by the attackers were observed on the same host: ashx.lhlsjcb[.]com.
A rapid attack phase followed a few weeks later. The attacker used the IIS worker process (w3wp.exe) to place one of the web shells in the application upload directory. Immediately after deployment, the self-notification mechanism was triggered: the web shell sent a DNS query (with an HTTP request as a fallback channel), reporting its location to the attacker-controlled domain.
Evasion: advanced timestomping
The framework uses the timestomping technique (T1099 in MITRE ATT&CK) with a non-trivial implementation. Instead of setting arbitrary timestamps, the algorithm scans all files and subdirectories in the web shells’ environment, calculates the median value of the “last modified” timestamp, and overwrites the creation and modification times of its artifacts with this value. As a result, the web shells appear as if they have existed on the server for a long time, which significantly complicates forensics and chronological analysis of the incident.
Privilege escalation
After gaining a foothold, OP-512 attempted to escalate privileges to SYSTEM level using Potato Suite, a family of well-known Windows token exploitation techniques. To confirm the obtained rights, the command whoami /priv was executed.
Threat context: IIS as a systemic target
According to ReliaQuest, OP-512 is the fourth threat cluster after CL-STA-0048, DragonRank and GhostRedirector to deliberately target IIS servers over the last 12 months. At the same time, researchers have not found direct overlaps between OP-512’s tooling and that of other known groups, although they note tactical similarities with CL-STA-0048. This gives rise to two hypotheses: either OP-512 is an existing cluster that has completely refreshed its toolkit, or it is an independent group that has developed similar capabilities on its own.
Important caveat: the attribution of OP-512 and conclusions about links to a specific state are based on the assessment of a single research source and have not been independently confirmed. Nevertheless, the mere fact that several clusters are concentrating on the same technology over a short period deserves defenders’ attention.
The key difference between OP-512 and related clusters is its rejection of mass-market tooling. The framework is designed specifically to evade the detection methods that work effectively against the other three groups. Organizations that have tuned their defenses to the known clusters are presumably still vulnerable to OP-512.
Impact assessment
The organizations most at risk are those running internet-facing IIS servers on legacy platforms — primarily Windows Server 2016 and earlier versions with unsupported .NET Framework components. The combination of cryptographic protection of access to the web shells, unique generation of each deployment, and automated notification makes detection by standard signature-based tools extremely difficult. A successful compromise gives the attacker full control over the server with the ability to maintain a long-term covert presence.
Practical recommendations
- IIS server audit: inventory all internet-facing IIS servers. Identify instances running on Windows Server 2016 and earlier versions, as well as those with outdated .NET Framework versions.
- Migration off legacy platforms: servers on unsupported software must be prioritized for upgrade or decommissioning. If migration is not feasible in the short term, isolate them in a separate network segment with enhanced monitoring.
- Timestomping monitoring: implement file integrity monitoring (FIM) in IIS web application directories. Watch for anomalies such as files whose timestamps match the median of surrounding files but do not align with creation logs.
- w3wp.exe process control: configure alerts for file creation by the IIS worker process in upload directories, especially files with .aspx and .ashx extensions.
- DNS monitoring: add the domain
ashx.lhlsjcb[.]comto blocklists and check historical DNS logs for any queries to it. - Potato Suite detection: monitor for characteristic privilege escalation patterns involving token manipulation, as well as execution of
whoami /privin the context of IIS processes. - Review of signature rules: existing detection rules tuned to the known clusters (CL-STA-0048, DragonRank, GhostRedirector) are presumably ineffective against OP-512. Supplement them with behavioral detections.
The concentration of several independent clusters on IIS servers over the past year points to a systemic issue: legacy internet-facing servers remain an attractive entry point. The top priority for defenders is immediate inventory and decommissioning or isolation of outdated IIS instances, supplemented with behavioral monitoring of the w3wp.exe process and file integrity control in web application directories.
