A sophisticated cyberattack campaign targeting Microsoft Internet Information Services (IIS) servers has emerged, exploiting decades-old security vulnerabilities to deploy malicious modules that enable remote command execution and search engine optimization fraud.
The operation, which came to light in late August and early September 2025, leverages publicly exposed ASP.NET machine keys to compromise servers worldwide, affecting approximately 240 server IP addresses and 280 domain names across diverse sectors including government agencies, small businesses, and e-commerce platforms.
The attackers exploit a critical weakness in ASP.NET viewstate deserialization by utilizing machine keys that have been publicly available since 2003.
These cryptographic secrets, originally published in a Microsoft Developer Network help page as configuration examples, were inadvertently adopted by countless administrators who implemented them verbatim in production environments.
Microsoft had previously identified over 3,000 such exposed machine keys in code repositories and programming forums, creating a substantial pool of vulnerable targets.
Once attackers obtain these keys, they can manipulate viewstate data to execute arbitrary code on targeted servers without requiring any additional credentials.
HarfangLab analysts identified the malicious module, designated HijackServer, during routine security monitoring of compromised IIS servers.
The infection chain demonstrates considerable sophistication, beginning with initial exploitation through POST requests targeting ASP.NET applications.
Logs from compromised systems revealed multiple suspicious requests with Chinese language settings (zh-tw) hitting root pages of vulnerable applications.
The attackers subsequently deployed a comprehensive toolkit archived as sys-tw-v1.6.1-clean-log.zip, containing 32-bit and 64-bit variants of the malicious IIS modules, installation scripts, and a customized rootkit derived from the open-source Hidden project.
.webp "Hackers Hijacking IIS Servers in The Wild Using Exposed ASP .NET Machine Keys to Inject Malicious Modules 3")
Following initial access, threat actors employed privilege escalation techniques known as EfsPotato and DeadPotato to create hidden local administrator accounts.
They then installed two malicious DLL files, scripts.dll and caches.dll, as IIS modules named ScriptsModule and IsapiCachesModule respectively.
These modules operate at the earliest processing stage of HTTP requests, intercepting traffic before legitimate applications can respond.
The installation process included establishing a working directory at C:WindowsTemp_FAB234CD3-09434-8898D-BFFC-4E23123DF2C and configuring the modules to download additional components from staging servers at c.cseo99[.]com and f.fseo99[.]com.
Persistence and Detection Evasion Through Rootkit Deployment
The attackers demonstrated advanced operational security awareness by deploying a customized Windows kernel driver rootkit to conceal their presence.
The Wingtb.sys driver, a modified version of the publicly available Hidden rootkit, operates as a signed kernel component using an expired certificate from Anneng Electronic Co. Ltd.
Despite the certificate’s expiration in 2014, it remains loadable on modern Windows systems due to Microsoft’s driver signing policy exceptions for certificates issued before July 2015.
The rootkit provides comprehensive hiding capabilities for files, registry keys, and processes, managed through a companion command-line tool WingtbCLI.exe with commands translated into Chinese transliteration.
The post-installation script lock.bat systematically conceals critical artifacts including the deployed IIS module files, modified application configuration files, and the rootkit’s registry service key.
Perhaps most notably, the script executes a sweeping deletion of all Windows Event log files using the command: for /f "tokens=*" %%1 in ('wevtutil el') do wevtutil cl "%%1".
This noisy anti-forensics technique contradicts the otherwise stealthy approach of using a rootkit, potentially indicating operational security inconsistencies or the work of less experienced operators deploying pre-packaged tools.
The HijackServer module’s primary purpose appears focused on search engine optimization fraud for cryptocurrency investment schemes.
When Google’s web crawler requests pages from compromised servers, the module dynamically generates HTML content containing numerous links to dubious cryptocurrency websites.
These generated pages successfully appear in legitimate Google search results, demonstrating the effectiveness of the poisoning technique.
However, the module also exposes an unauthenticated remote command execution capability through the /scjg URL path, creating a persistent backdoor that any third party could exploit regardless of whether they coordinated with the original attackers.
This functionality transforms what might appear as financially motivated SEO fraud into a far more serious security compromise with potential espionage implications.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
