A Fourth Group, the Same Target

When ReliaQuest published its findings on a previously unnamed threat cluster called OP-512, the detail that stood out most wasn’t the sophistication of the tooling — it was the count. OP-512 is now the fourth distinct China-linked group to deliberately target Microsoft Internet Information Services (IIS) servers within a twelve-month window, following CL-STA-0048, DragonRank, and GhostRedirector. That kind of convergence on a single technology stack doesn’t happen by accident.

ReliaQuest attributes the activity to China-aligned espionage with moderate-to-high confidence. The compromised organization operates in a sector and geographic region that matches China’s documented intelligence collection priorities — though the firm has not publicly named the victim. No technical overlaps connect OP-512 to the three previously identified IIS-focused clusters, which places it in an unusual position: tactically close to CL-STA-0048 in some respects, yet apparently operating independently.

The timing adds further context. Just last month, Cisco Talos reported that multiple Chinese-speaking cybercrime groups are sharing a malware variant called BadIIS specifically to infect IIS servers. Separately, a group tracked as SHADOW-EARTH-053 has been running an IIS-focused espionage campaign against government and defense targets across South, East, and Southeast Asia. The picture that emerges is of IIS infrastructure being treated as a category-level priority across several distinct operations simultaneously.

What the Web Shell Framework Actually Does

At the center of OP-512’s operations is a custom framework built from three web shells, each serving a distinct function. Taken together, they give the attacker file management capability, two independent paths for authenticated command execution, and an automated mechanism that reports the compromise back to attacker-controlled infrastructure — all without requiring hands-on interaction after initial deployment.

What makes this framework technically notable is the combination of features. Each deployment is uniquely generated rather than copied wholesale, which defeats signature-based detection that relies on file hashing or pattern matching. Access to the web shells is locked behind cryptographic controls, meaning that even if a defender or another threat actor discovered the shell’s location, they couldn’t interact with it without the correct keys. And once a web shell is dropped, it automatically contacts attacker infrastructure to report its own location — using a DNS query as the primary channel, with an HTTP request as a fallback.

The third element of the framework is the self-reporting mechanism embedded in the IIS worker process. When the attacker uses w3wp.exe to drop the initial web shell into the application’s upload directory, that action triggers the reporting beacon automatically. The attacker receives confirmation of a live foothold without having to probe the server manually.

Timestomping as a Forensic Countermeasure

One of the more deliberate techniques in OP-512’s playbook is timestomping — specifically a variant that goes further than most implementations. Rather than replacing file timestamps with arbitrary values, the framework scans every file and subfolder in the directory where the web shells are placed, calculates the median last-modified timestamp across all of them, and then overwrites its own creation and modification times to match that median value.

The effect is that the web shell artifacts appear to have existed for as long as the surrounding files have. If the directory contains application files that were last touched eighteen months ago, the web shells will carry that same timestamp. For investigators working from file system metadata, this creates a false forensic baseline and can push the apparent infection date well before the actual intrusion occurred.

This approach complicates incident response in a specific way: timeline reconstruction, which is usually among the first tasks in any investigation, becomes unreliable. Analysts have to cross-reference DNS logs, network flows, and application logs to anchor the real sequence of events — and if any of those data sources are incomplete, the investigation stalls.

The Attack Sequence and What Came Before It

The specific incident ReliaQuest analyzed involved a legacy IIS server running Windows Server 2016 with an end-of-life .NET Framework 4.0 installation. The server was internet-facing, which is the access condition that makes IIS infrastructure attractive across all four of the China-linked clusters currently targeting it.

There is evidence of prior reconnaissance on the same host. Approximately 75 days before the main intrusion, DNS queries were made to an attacker-controlled domain — ashx.lhlsjcb[.]com — suggesting that OP-512 had identified the target well in advance and was monitoring or staging before moving. When the main phase of the attack arrived, ReliaQuest describes the sequence as a “sprint”: rapid, sequenced, and clearly pre-planned.

After the web shells were deployed and the self-reporting beacon fired, OP-512 moved toward privilege escalation. The group used the Potato Suite — a collection of local privilege escalation tools — to attempt elevation to SYSTEM level. They followed that with the command whoami /priv to confirm the rights obtained. Both techniques are well-documented and widely used, which suggests that at the post-exploitation phase, OP-512 didn’t feel the need to employ anything novel.

IIS as an Enduring Exposure

Why Legacy IIS Keeps Appearing

Microsoft IIS is not new software, and the versions still running on production infrastructure in many organizations are significantly older than current releases. Windows Server 2016 with .NET Framework 4.0 — the environment OP-512 targeted — represents a combination that Microsoft no longer actively patches. End-of-life frameworks sitting beneath internet-facing web servers are a structural problem that doesn’t resolve itself.

IIS servers are attractive targets for espionage operations for practical reasons. They frequently sit at the edge of organizational networks with direct internet exposure, they process application traffic that may include credentials or session data, and in many environments they are under-monitored compared to endpoint infrastructure. A web shell dropped into an upload directory on an IIS server can persist for weeks or months before generating an alert, particularly when timestomping has muddied the forensic trail.

The convergence of four separate China-linked groups on IIS within twelve months — OP-512, CL-STA-0048, DragonRank, GhostRedirector — plus the BadIIS malware being shared among Chinese-speaking cybercrime groups, points to a recognized gap in enterprise defensive coverage. Whether those groups are coordinating, drawing from shared tradecraft communities, or simply responding to the same intelligence about target vulnerability is not established.

What Separates OP-512 from Its Predecessors

ReliaQuest notes a tactical similarity between OP-512 and CL-STA-0048 close enough to raise the question of whether they are the same cluster with a completely rebuilt toolset. The current assessment treats them as distinct, with OP-512 operating autonomously. The absence of code or infrastructure overlap with any known group either supports that assessment or indicates that OP-512 has been careful about compartmentalization.

The web shell framework itself — uniquely generated per deployment, cryptographically access-controlled, self-reporting — is described by ReliaQuest as a combination of capabilities rarely seen together in a single framework. That level of operational engineering, paired with the anti-forensic timestomping logic, suggests a group with meaningful development resources and an awareness of how defenders investigate IIS compromises.

Organizations still running internet-facing IIS servers on end-of-life configurations should treat the current threat environment as a direct targeting condition, not a background risk. The legacy .NET Framework 4.0 reached end of life in January 2016 — more than a decade ago.