Chinese‑Linked OP‑512 Threat Cluster Deploys Custom Web Shells on Microsoft IIS Servers
What Happened — Researchers identified a previously unknown threat cluster, OP‑512, that is actively targeting Microsoft Internet Information Services (IIS) web servers. The group installs a bespoke ASP/ASP.NET web‑shell framework to gain persistent footholds and conduct espionage‑focused data collection. Attribution analysis links the activity to a China‑based threat actor with moderate‑to‑high confidence.
Why It Matters for TPRM —
- Compromise of IIS servers can cascade to any downstream SaaS or on‑premise applications that rely on the web tier, expanding the attack surface of third‑party providers.
- Persistent custom web shells enable long‑term data exfiltration, raising the risk of intellectual‑property loss and regulatory breach.
- The custom nature of the shell evades many signature‑based defenses, requiring enhanced monitoring and threat‑hunts across vendor environments.
Who Is Affected — Enterprises across all industries that host or outsource web applications on Microsoft IIS, including SaaS platforms, cloud‑hosting MSPs, and internal IT departments.
Recommended Actions —
- Ensure all IIS instances are fully patched against known CVEs and hardened according to Microsoft best practices.
- Deploy Web Application Firewall (WAF) rules to block suspicious file uploads and monitor for anomalous outbound traffic from web servers.
- Conduct a focused audit of third‑party vendors that manage IIS workloads, confirming they have detection for custom web‑shell activity and appropriate incident‑response playbooks.
Technical Notes — OP‑512 delivers a custom ASP/ASP.NET web shell via exploitation of unpatched IIS modules or stolen credentials. No single CVE is publicly disclosed, but the technique resembles remote‑code‑execution exploits such as CVE‑2025‑XXXX. Exfiltrated data may include proprietary business logic, customer PII, and intellectual property. Source: The Hacker News