Security researchers at ReliaQuest have uncovered a previously undocumented China-linked threat cluster, designated OP-512, that has been targeting Internet Information Services (IIS) web servers using a sophisticated, custom-built web shell framework. The group’s hallmark is patient, methodical access: investigators found the attacker first accessed the targeted server 75 days before launching its full intrusion.
Discovery by Agentic AI
The OP-512 cluster was identified after ReliaQuest’s agentic AI system stitched together a high volume of seemingly unrelated suspicious events into a single high-priority incident. Human threat researchers then reviewed and validated the findings. The targeted organization’s sector and geography aligned with China-linked intelligence priorities, reinforcing the attribution. ReliaQuest assessed with moderate-high confidence that OP-512 is a new, previously undocumented actor distinct from known Chinese threat groups.
Cryptographically Unique Web Shell Framework
At the center of the operation is a three-component custom web shell framework that gives attackers remote access through a standard web browser. What makes this framework unusually dangerous is that each deployment is cryptographically unique — traditional signature-based detection tools cannot reliably identify it because every installation generates a completely different file fingerprint.
The web server’s worker process first wrote an .aspx file manager with a built-in command-and-control (C2) notification channel. Within seconds of deployment, it encoded its own URL and transmitted that location through two independent channels: a DNS query and, as a fallback, an HTTP request to a backup server linked to known Meterpreter infrastructure.
Two .ashx command handler files were then deployed to the same directory, each generated with a different cryptographic key. Compromising one could not grant access through the other — a redundancy design that ensures operational continuity even if defenders identify one component.
Timestomping and Anti-Forensic Techniques
The framework also employed timestomping — manipulating file timestamps to match those of legitimate files already on the server. A file planted in 2026 was made to appear as though it had existed since 2022, directly undermining the standard forensic technique of looking for recently dropped files. The targeted server was running Windows Server 2016 with a .NET Framework version that has not received security updates since 2016.
Privilege Escalation and Persistence
With web shells in place, OP-512 loaded four exploitation toolkits directly into the server’s process memory — a fileless technique that leaves nothing written to disk for scanners to find. Three came from the publicly known “Potato Suite,” which abuses built-in Windows services to escalate access from a limited service account to full system-level control. A fourth toolkit, labeled “GhostKit” in telemetry, has no known public documentation.
When endpoint protection terminated malicious processes, IIS automatically restarted its worker processes — causing the attacker’s tools to reload within minutes. This highlights a critical defensive gap: stopping a malicious process without isolating the host only delays, rather than stops, an attacker operating persistently through IIS.
A Growing Pattern
OP-512 is at least the fourth China-linked cluster documented targeting legacy IIS servers in the past year, confirming that outdated, internet-facing infrastructure remains a preferred entry point for state-sponsored espionage. The group’s patience — waiting 75 days between initial access and full deployment — is a hallmark of sophisticated state-aligned operations where stealth matters more than speed.
Defensive Recommendations
Organizations running legacy Windows Server or IIS environments should treat this disclosure as a call to action:
- Retire or isolate internet-facing servers running end-of-life .NET frameworks immediately
- Disable script execution in upload directories
- Monitor ASP.NET compilation directories for unexpected file creation
- Apply web application firewall (WAF) rules targeting .aspx and .ashx execution from upload paths
- Do not close incidents until the initial entry point is confirmed and remediated — removing web shells alone does not address the underlying vulnerability
- Implement network isolation procedures for suspected compromised hosts rather than relying solely on endpoint process termination