Full Report
Cybersecurity researchers have discovered a previously unreported threat cluster dubbed OP-512 that has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework. ReliaQuest has assessed with moderate to high confidence that the espionage-focused activity is linked to China. "OP-512 was highly likely conducting espionage through a
Analysis Summary
# Threat Actor: OP-512
## Attribution & Identity
- **Actor Identification:** OP-512 is a previously unreported threat cluster first identified by ReliaQuest.
- **Attribution:** Linked with moderate to high confidence to **China**.
- **Known Associations:** The actor shares "close tactical proximity" to another China-linked cluster, **CL-STA-0048**. While no direct overlaps have been confirmed, researchers suggest OP-512 may be a revamp of an existing cluster or an autonomous group operating with independent capabilities.
- **Related Ecosystem:** It is the fourth China-aligned group identified in a 12-month period focusing on IIS servers, alongside **CL-STA-0048**, **DragonRank**, and **GhostRedirector**.
## Activity Summary
The actor was discovered in mid-2026 (based on article timestamp) conducting cyber espionage operations. Their primary method involves exploiting legacy Microsoft Internet Information Services (IIS) servers to deploy a sophisticated, bespoke web shell framework. The operations are characterized by a "sprint" execution style—moving rapidly once initial access is gained—preceded by long-term reconnaissance (with evidence of activity 75 days prior to the main incident).
## Tactics, Techniques & Procedures
- **Web Shell Deployment:** Uses a custom framework of three specific web shells providing file management, command execution, and automated reporting.
- **Self-Reporting Mechanism:** Compromised servers automatically "beacon" back the web shell's location to attacker-controlled infrastructure via DNS queries or HTTP fallbacks.
- **Timestopping:** To evade detection, the actor scans the median last-modified timestamps of surrounding files and overwrites its own web shell artifacts to match (MITRE ATT&CK **T1070.006** / formerly **T1099**).
- **Privilege Escalation:** Utilizes the "Potato Suite" (e.g., JuicyPotato/RottenPotato) to escalate from web service accounts to `SYSTEM` level.
- **Reconnaissance:** Execution of discovery commands like `whoami /priv`.
- **Evasion:** Cryptographic controls restrict access to the web shells to only the attacker; each deployment is uniquely generated to avoid signature-based detection.
## Targeting
- **Sectors:** Government and defense (inferred via alignment with China-linked intelligence priorities).
- **Geography:** South, East, and Southeast Asia.
- **Victims:** Organizations running legacy infrastructure, specifically Windows Server 2016 with end-of-life .NET Framework 4.0.
## Tools & Infrastructure
- **Malware:**
- Bespoke three-part web shell framework.
- **Potato Suite** (Privilege escalation tools).
- **Infrastructure:**
- Attacker-controlled domain: `ashx.lhlsjcb[.]com`
- Use of the `w3wp.exe` (IIS Worker Process) for file dropping.
## Implications
OP-512 represents a trend of Chinese-aligned threat actors narrowing their focus on internet-facing IIS servers as a primary entry point. Their ability to weaponize legacy, end-of-life software (Windows Server 2016/.NET 4.0) suggests they are highly effective at identifying "low-hanging fruit" within high-value targets. The automated, self-reporting nature of their web shells enables them to manage a large fleet of compromised servers at scale for espionage purposes.
## Mitigations
- **Patch Management:** Decommission or upgrade end-of-life (EOL) software including Windows Server 2016 and legacy .NET Framework versions.
- **Monitoring:** Implement logging and alerting for the IIS worker process (`w3wp.exe`) spawning suspicious child processes like `cmd.exe`, `powershell.exe`, or known privilege escalation tools.
- **Detection:** Monitor for unusual DNS queries to new or low-reputation domains from IIS servers, which may indicate the web shell "self-reporting" mechanism.
- **Audit:** Regularly check for unexpected `.ashx`, `.aspx`, or `.php` files in web upload directories and perform forensic analysis of file creation timestamps for anomalies (detecting timestomping).