ReliaQuest has identified a new China-linked threat cluster, which it calls OP-512. The cyber security company uncovered the group after artificial intelligence correlated suspicious activity on a customer network.
Researchers said the intrusion centred on a compromised Internet Information Services web server at an organisation whose sector and location aligned with Chinese intelligence priorities. They assessed with moderate-high confidence that the activity was espionage and that the tools and infrastructure did not match any previously identified actor.
The case adds to growing evidence that China-linked attackers are focusing on older IIS servers, particularly those exposed to the internet and running outdated Microsoft software. OP-512 is at least the fourth publicly documented China-linked cluster to target IIS servers in the past year.
IIS servers often sit in a demilitarised zone between public-facing systems and internal corporate networks. That position can make them a useful stepping stone for operators seeking a path deeper into an organisation while avoiding the level of scrutiny placed on core systems.
According to the investigation, the targeted server had shown signs of suspicious access 75 days before the main incident. The attacker then returned and, within a short period, deployed web shells, created multiple command channels, attempted to raise privileges and began probing an adjacent server.
The victim server was running Windows Server 2016 with .NET Framework 4.0, which has not received security updates for years. Although the exact initial access route was not conclusively established, ReliaQuest described the legacy framework on an internet-facing host as a plausible attack surface.
Custom tooling
At the centre of the activity was a custom framework of three web shells, malicious files that allow remote access through a browser. One handled file management and automatically reported its own location back to attacker infrastructure, while the other two acted as command handlers.
Researchers said each deployment was generated in a unique form, making signature-based detection ineffective. They also said the command handlers used RSA and RC4 authentication, meaning only an operator with the correct private key could issue commands.
That design has practical implications for defenders. Security teams may detect the file or the traffic pattern, but they cannot simply interact with the implant to understand or control it without the key material held by the attacker.
The web shells also altered their own timestamps to blend in with surrounding files. That can make a newly planted file appear to have existed on a server for years, complicating forensic review.
Why it stands out
ReliaQuest compared OP-512 with other China-linked groups that have recently targeted IIS infrastructure, including activity tracked as CL-STA-0048 and operations associated with GhostRedirector and DragonRank. It found some tactical overlap, especially the use of encoded DNS subdomain queries, but said the purpose and design of OP-512's tooling were different.
One notable feature was that the initial web shell automatically sent its own URL to attacker-controlled infrastructure through a DNS request. If that route failed, it could fall back to an HTTP request to a separate server. ReliaQuest said this allowed the operator to plant the web shell and rely on the infrastructure to catalogue where it had landed.
The researchers argued that this level of customisation and operational discipline went beyond the commodity tools more often seen in financially motivated campaigns. They said the framework showed a level of investment more consistent with a state-aligned espionage operation.
Detection challenge
The attack also exposed the limits of endpoint prevention on its own. Security software terminated a malicious process through behavioural prevention, but the IIS service automatically restarted worker processes after they were killed, allowing the attacker's tooling to reload within minutes.
That meant the malicious activity persisted unless responders isolated the host itself. The episode illustrates how attackers can exploit routine application behaviour to survive partial containment.
Researchers also recovered four malicious dynamic link library files from an ASP.NET temporary compilation directory. Those files were generated automatically when the malicious .aspx and .ashx pages were first accessed. Even if the original web shell files were later removed, the compiled artefacts could remain on the system.
For incident response teams, that creates an extra layer of work. They must inspect and clear the temporary compilation paths as well as remove the visible web shells, or risk leaving behind forensic traces and possible reactivation points.
Broader pattern
The case reflects a wider concern in cyber security over the number of internet-facing business systems still running unsupported software. Legacy .NET deployments remain common in older web applications, particularly in organisations where migration has been delayed by cost, complexity or operational risk.
ReliaQuest said defenders should prioritise retiring or isolating end-of-life .NET frameworks on internet-facing servers, lock down upload directories and monitor unusual DNS activity and reflective .NET loading inside IIS worker processes. It also said incident closure should require confirmation that the original access path has been fixed, because "Espionage clusters count on this, knowing they can return if the underlying vulnerability is still there."