A sneaky hacking campaign where attackers used publicly available ASP.NET machine keys to break into Windows IIS web servers.
These keys, meant to protect web apps, were found in places like Microsoft docs and online forums, making it easy for hackers to trick servers into running harmful code.
The group, tracked as REF3927, then installed a malicious tool called TOLLBOOTH to hijack traffic and make money through fake search rankings.
This isn’t new; Microsoft first spotted similar tricks back in February 2025, and AhnLab reported more details in April. Experts think it’s the same Chinese-speaking hackers hitting servers worldwide, from small sites to big companies, without picking specific targets.
Elastic Security Labs, teaming up with scanning firm Validin, found over 570 infected servers across countries, but none in China, likely to avoid trouble at home.
The Malicious TOLLBOOTH Tool
Hackers start by finding IIS servers with weak setups, where ASP.NET machine keys, special codes for encrypting user data like login info, are copied from public spots instead of being made fresh.
These keys help secure things like ViewState, a hidden way web pages remember user inputs between clicks.
But if the keys leak, attackers can fake a ViewState message packed with bad code, sending it via a simple web request to run commands on the server.
Once inside, the hackers drop a webshell based on the Godzilla tool, a forked version called Z-Godzilla_ekp that lets them run commands, steal passwords, and scan networks while hiding traffic as normal web chats.
They tried making admin accounts and using Mimikatz to grab more logins, but defenses like Elastic stopped some moves.
To stay hidden, they loaded a tweaked rootkit from an open-source project named Hidden, which buries files, processes, and registry entries deep in the system.
The big payoff for these hackers is TOLLBOOTH, a sneaky add-on for IIS that cloaks harmful content from search engines while showing junk to regular users, Elastic Security Labs said.
It checks browser details to serve keyword-stuffed pages to bots like Googlebot, boosting fake sites in search results to drive clicks to scam pages.
This SEO trick builds a web of infected sites linking to each other, inflating rankings across the board. TOLLBOOTH also has a built-in webshell for uploading files and running commands, plus debug tools for the hackers to check server health.
It pulls settings from a control server at c[.]cseo99.com, storing secrets in temp folders on the victim machine. In one case, Texas A&M’s team caught it early during managed detection services, stopping the full takeover.
This attack hit servers everywhere except China, affecting industries from finance to tech, showing it’s a broad sweep using auto-scans for weak keys.
Many victims got reinfected after the cleanup because they forgot to change the machine keys, leaving the door open. To fix it, admins must generate new keys in IIS, wipe malware, and watch for odd web traffic or new modules.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
