The activity, tracked as OP-512, targeted an internet-facing Windows Server 2016 system running Internet Information Services and an end-of-life. NET Framework 4.0 application. The operation involved three purpose-built web shells using ASPX and ASHX files, allowing attackers to manage files, execute commands and automatically report the location of compromised servers to attacker-controlled infrastructure.
The case has drawn attention because the tooling appears designed for long-term espionage rather than quick financial gain. The affected server showed signs of attacker access 75 days before the main intrusion sequence, indicating a patient operation in which access was tested, preserved and later expanded. Once the attackers returned, they deployed the web shells, created multiple command paths and attempted privilege escalation within hours.
OP-512’s framework differs from many commodity web shells because each deployment is cryptographically unique. The ASHX command handlers used RSA signature verification and RC4 encryption, making it difficult for defenders or rival attackers to send commands without the matching private key. The files also used obfuscation, randomised variable names and junk code to prevent simple hash-based detection.
A notable feature of the ASPX shell was its self-reporting capability. Once accessed, it encoded its own URL into a DNS query and transmitted it to attacker infrastructure. If DNS failed, the shell could fall back to HTTP communication with a separate command-and-control server. That design allowed the attacker to drop the shell and let central infrastructure catalogue the compromised endpoint automatically.
The malware also used timestomping, a technique that alters file creation and modification dates to blend malicious files into existing directories. By scanning nearby files and matching typical timestamps, the shells could appear to have been present for years, complicating forensic review based on file dates.
Investigators also found malicious DLLs in ASP. NET temporary compilation directories. These compiled artefacts can remain even after original ASPX or ASHX files are removed, creating a separate challenge for incident response teams. Removing visible web shells may not be enough unless temporary compilation paths are reviewed and cleaned.
The attackers attempted to escalate privileges using tools linked to the so-called Potato family of Windows exploitation techniques, including BadPotato, SweetPotato and EfsPotato. These tools are often used to move from limited service accounts towards higher privilege levels by abusing Windows service behaviour. Commands such as account and privilege checks were issued in encoded form through the web server process.
The intrusion also showed the limits of endpoint prevention when host isolation does not follow immediately. Security controls terminated malicious processes, but IIS automatically restarted worker processes, allowing attacker code to reload through successive process instances. That loop underlined the need to isolate affected servers rather than relying only on process termination.
The exposure of legacy IIS infrastructure remains a recurring weakness across enterprise environments. IIS servers often sit at the boundary between public-facing applications and internal networks, making them attractive pivot points for espionage actors. When those servers run unsupported frameworks or poorly monitored upload directories, attackers gain a practical route into deeper systems.. NET Framework 4.0 has been out of support for years, and Windows Server 2016 is approaching the final phase of its support lifecycle. Many organisations still keep such systems online because they support older business applications, internal portals or customer-facing services that are difficult to migrate. That operational reality creates a gap between formal patching policies and what remains exposed on the internet.
The OP-512 case also fits a broader pattern of China-linked clusters focusing on edge systems, web applications and legacy server software. Such targets offer stealth, persistence and access to sensitive communications or intellectual property without the need to compromise heavily monitored endpoints first. The overlap with other China-linked operations is not enough to treat OP-512 as a known group, but shared tactics point to a wider ecosystem of tools, training and operational methods.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
