New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework
New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework
https://thehackernews.com/2026/06/new-threat-cluster-op-512-targets.html
Publish Date: 2026-06-05 08:33:00
Source Domain: thehackernews.com
Cybersecurity researchers have discovered a previously unreported threat cluster dubbed OP-512 that has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework.
ReliaQuest has assessed with moderate to high confidence that the espionage-focused activity is linked to China.
“OP-512 was highly likely conducting espionage through a compromised Internet Information Services (IIS) web server on an organization whose sector and geography align with China-linked intelligence priorities,” the company said in a report shared with The Hacker News.
Although no overlaps have been found between OP-512 and other known China-aligned adversaries, it’s the fourth such threat group after CL-STA-0048, DragonRank, and GhostRedirector to single out IIS web servers over the past 12 months. As recently as last month, Cisco Talos revealed that multiple Chinese-speaking cybercrime groups are sharing a variant of malware called BadIIS to infect IIS servers.
IIS servers have also been targeted by SHADOW-EARTH-053 as part of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia.
Central to the operations of OP-512 is a custom web shell framework consisting of three web shells that grant the attackers remote access to the compromised host, while taking steps to evade signature-based detection and complicate forensic timelines using techniques like timestomping to intentionally manipulate the timestamps when the web shell artifacts are created or modified.
Specifically, this entails scanning every file and sub-folder around where the web shells are placed, calculating the median last-modified timestamp, and overwriting their own creation and modification times to match that value, thus giving the impression that they have been present for some time.
“This framework combines capabilities…
