A previously disclosed China-linked threat cluster, tracked as OP-512, has been observed deploying a purpose-built web shell framework to compromise Internet Information Services (IIS) servers.
Identified by ReliaQuest, the espionage operation targeted a Windows Server 2016 environment running an end-of-life .NET Framework 4.0.
Telemetry revealed the threat actors established access 75 days prior to the primary intrusion, highlighting a state-aligned strategy focused on persistent, long-term network access.
Upon re-entry, OP-512 rapidly established dual command channels, deployed three web shells, and loaded privilege escalation utilities directly into memory to avoid disk-based detection. The framework relies heavily on a custom .aspx file manager operating as a fire-and-forget implant.
Once accessed, the shell automatically phones home by encoding its URL into a hex-segmented DNS query. If the DNS request fails, the framework falls back to an HTTP beacon associated with the Meterpreter infrastructure.
Command execution is managed by two .ashx cryptographic handlers. These handlers are generated from a shared builder that randomizes variable names and embeds junk code to ensure that functionally identical files produce entirely different hashes, Reliaquest said.
Processing commands requires traversing a strict four-stage pipeline: Base64 decoding, RC4 decryption, RSA signature verification, and final execution. Because each handler embeds a unique RSA public key, compromising one key does not grant analysts or rival operators access to the other.
To maintain stealth, all three shells utilize advanced timestomping. They scan surrounding files, calculate a median last-modified timestamp, and backdate their own metadata to blend in seamlessly.
Furthermore, when endpoint protection terminated the malicious w3wp.exe process during the intrusion, the native IIS auto-restart feature immediately reloaded the in-memory tooling, rendering standard process-kill prevention ineffective.
OP-512 is the fourth China-aligned cluster observed targeting IIS servers in the past year, joining DragonRank, CL-STA-0048, and GhostRedirector.
DMZ-positioned IIS servers remain highly attractive targets due to their location at the network boundary and historically lower monitoring compared to core infrastructure.
While OP-512 and CL-STA-0048 both utilize rare hex-encoded subdomain queries for covert signaling, their intent differs. CL-STA-0048 uses the technique for data exfiltration, whereas OP-512 uses it strictly to report deployment locations.
Additionally, base64-encoded whoami commands recovered from this incident identically matched those from a known Flax Typhoon compromise.
However, ReliaQuest assesses with moderate-high confidence that OP-512 is an independent cluster, distinguished by its unique investment in layered RSA and RC4 authentication.
Indicators of Compromise (IOCs)
| Artifact | Details |
|---|---|
ashx.lhlsjcb[.]com | DNS C2 domain observed during earlier activity on the same host, approximately 75 days before the primary incident. The use of a different domain from the later intrusion (hcgos[.]com) suggests infrastructure rotation between visits. |
hcgos[.]com | DNS C2 domain used by the self-reporting notification channel. In logs, look for the subdomain pattern a.. |
43.160.202[.]246:8053 | Meterpreter C2 server on a non-standard port. |
140.206.161[.]227:443 | Outbound connection from compromised host. |
124.156.129[.]151 | Source IP for web shell interaction. High-signal due to the combination of python-requests/2.33.0 user agent, POST requests to upload paths containing .aspx files, and timing aligned with the web shell deployment window. The user agent alone is not a reliable indicator. |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Mitigation
- Monitor for outbound DNS from
w3wp.execontaining long, hex-segmented subdomains. - Alert on reflective .NET assembly loading within IIS worker processes, which indicates memory-only privilege escalation tools like the Potato Suite.
- Track new DLL generation within ASP.NET temporary compilation directories outside of approved deployment windows.
- Flag encrypted or non-standard HTTP responses originating from
.ashxendpoints. - Fast-track migration away from end-of-life .NET versions and disable
.aspx/.ashxhandler mappings in upload directories.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
