Full Report
In June 2025 researchers documented a campaign that breaches vulnerable South-Korean IIS web servers—and sometimes adjacent Linux hosts—by uploading ASP/ASPX web shells through file-upload flaws. Once the shell is in place, the operators fan out: they run basic host discovery ...
Analysis Summary
# Incident Report: IIS Web Shell Campaign against South Korean Infrastructure
## Executive Summary
In June 2025, security researchers identified a coordinated campaign targeting South Korean organizations by exploiting file-upload vulnerabilities in Internet Information Services (IIS) web servers. Attackers deployed ASP/ASPX web shells to gain initial access, subsequently moving laterally to adjacent Linux hosts to expand their footprint. The campaign focuses on reconnaissance and long-term persistence within regional infrastructure.
## Incident Details
- **Discovery Date:** June 2025
- **Incident Date:** Ongoing (documented June 2025)
- **Affected Organization:** Multiple undisclosed entities
- **Sector:** Cross-sector (IIS Server dependent)
- **Geography:** South Korea
## Timeline of Events
### Initial Access
- **Date/Time:** June 2025 (Reporting period)
- **Vector:** Exploitation of File-Upload Vulnerabilities
- **Details:** Threat actors identified vulnerable IIS web servers and successfully uploaded malicious ASP/ASPX web shells through insecure file-upload fields.
### Lateral Movement
- Following web shell deployment, operators performed host discovery to identify neighboring systems.
- Attackers successfully bridged from Windows-based IIS environments to adjacent Linux hosts within the same network segments.
### Data Exfiltration/Impact
- **Status:** Under Investigation. The primary impact observed was the loss of server integrity and the compromise of local host data.
### Detection & Response
- **Discovery:** Researchers identified the activity through monitoring of web shell deployment patterns and anomalous server behavior.
- **Response Actions:** Forensics and containment focused on neutralizing the web shells and patching the underlying upload vulnerabilities.
## Attack Methodology
- **Initial Access:** Exploitation of public-facing IIS web applications via file-upload flaws.
- **Persistence:** Implementation of ASP/ASPX web shells for continuous remote access.
- **Privilege Escalation:** (Specific techniques not disclosed in initial report).
- **Defense Evasion:** Use of legitimate web application extensions (ASP/ASPX) to blend into web directories.
- **Credential Access:** (Specific tools not disclosed).
- **Discovery:** Basic host discovery and network scanning from the compromised IIS server.
- **Lateral Movement:** Pivoting from Windows IIS servers to internal Linux environments.
- **Collection:** Probing for sensitive data local to the web servers.
- **Exfiltration:** (Specific methods not disclosed).
- **Impact:** System compromise and unauthorized remote administrative control.
## Impact Assessment
- **Financial:** Costs associated with incident response, forensic auditing, and server downtime.
- **Data Breach:** Compromise of web server file systems and potentially connected databases.
- **Operational:** Disruption of web services and potential exposure of adjacent Linux-based infrastructure.
- **Reputational:** Risks associated with hosting malicious shells and failing to secure customer-facing web assets.
## Indicators of Compromise
- **Network indicators:**
- Communications with unauthorized internal IP addresses during discovery phases.
- **File indicators:**
- Unauthorized `.asp` or `.aspx` files in upload directories (e.g., `/uploads/`, `/images/`, `/files/`).
- **Behavioral indicators:**
- `w3wp.exe` spawning unusual child processes (e.g., `cmd.exe`, `whoami`, `netstat`).
- Unusual outbound traffic from IIS servers to internal Linux hosts.
## Response Actions
- **Containment:** Isolated infected IIS servers and took affected web applications offline for remediation.
- **Eradication:** Removed unauthorized web shells and closed file-upload vulnerabilities through code auditing and patching.
- **Recovery:** Restored servers from known-clean backups and applied hardened configurations.
## Lessons Learned
- **Key takeaways:** Insecure file-upload forms remain a high-risk entry point for IIS-hosted environments.
- **Improvement areas:** Lack of network segmentation allowed the threat actor to pivot from a public-facing web server to internal Linux hosts too easily.
## Recommendations
- **Input Validation:** Implement strict file-type whitelisting and rename uploaded files to non-executable formats.
- **Network Segmentation:** Ensure production web servers are isolated from internal Linux development or file servers.
- **Least Privilege:** Run IIS application pools with the lowest possible permissions to limit the impact of a web shell.
- **WAF Deployment:** Utilize a Web Application Firewall to detect and block common shell upload patterns.