Contact us
Contact us

News

About

Home Crypto News China-linked OP-512 deploys three-part web shell on IIS

China-linked OP-512 deploys three-part web shell on IIS

Author Whitewallet Research
Posted: 5 June 2026, 13:33 CET 2 min read

ReliaQuest reports OP-512 used a three-part web-shell framework to infect Microsoft IIS servers, using timestomping and automated reporting to support espionage.

ReliaQuest reported that a China-linked actor it calls OP-512 deployed a three-part web shell framework to compromise Microsoft Internet Information Services (IIS) servers. The company assessed with moderate to high confidence that the activity was espionage and aligned with China-linked intelligence priorities.

The intrusion targeted an internet-facing IIS instance running Windows Server 2016 and an out-of-support .NET Framework 4.0. ReliaQuest found evidence of prior activity on the same host about 75 days earlier, including DNS queries to an attacker-controlled domain.

Observers say operators used the IIS worker process w3wp.exe to drop a web shell into the application upload directory. Each shell automatically reported its location back to attacker infrastructure via a DNS query, with an HTTP request used as a fallback, enabling centralized management and rapid follow-up activity.

The three-shell framework provided file management, authenticated command execution through two separate access paths, and automated reporting of compromises. After deploying the shells, operators attempted to escalate privileges to SYSTEM using the Potato Suite and ran commands such as whoami /priv to verify privileges. ReliaQuest noted each deployment was uniquely generated and access was restricted with cryptographic controls.

As an anti-forensic tactic, attackers used timestomping: they scanned files and subfolders around the implants, calculated the median last-modified timestamp, and overwrote the web shells’ creation and modification times to match that median. The technique alters forensic timelines and can hinder signature-based detection.

ReliaQuest reported OP-512 shares close tactical proximity to a cluster tracked as CL-STA-0048 but treated OP-512 as a distinct actor. Security teams have observed multiple China-aligned clusters targeting internet-facing IIS servers over the past year, and researchers have seen Chinese-speaking actors share an IIS-focused malware variant called BadIIS. Other campaigns have targeted government and defense sectors across South, East and Southeast Asia.

The report advised organizations to reduce exposure of legacy web services, prioritize patching, increase monitoring for anomalous DNS and HTTP requests from web servers, and carry out timeline-aware forensic checks that account for manipulated timestamps.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE