{"id":264898,"date":"2026-06-05T08:33:00","date_gmt":"2026-06-05T12:33:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/05\/new-threat-cluster-op-512-targets-microsoft-iis-servers-with-custom-web-shell-framework\/"},"modified":"2026-06-05T09:25:08","modified_gmt":"2026-06-05T13:25:08","slug":"new-threat-cluster-op-512-targets-microsoft-iis-servers-with-custom-web-shell-framework","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/05\/new-threat-cluster-op-512-targets-microsoft-iis-servers-with-custom-web-shell-framework\/","title":{"rendered":"New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework"},"content":{"rendered":"

New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/06\/new-threat-cluster-op-512-targets.html<\/a><\/p>\n

Publish Date: 2026-06-05 08:33:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802Jun 05, 2026<\/span><\/span>Cyber Espionage \/ Threat Intelligence<\/span><\/p>\n

Cybersecurity researchers have discovered a previously unreported threat cluster dubbed OP-512 that has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework.<\/p>\n

ReliaQuest has assessed with moderate to high confidence that the espionage-focused activity is linked to China.<\/p>\n

“OP-512 was highly likely conducting espionage through a compromised Internet Information Services (IIS) web server on an organization whose sector and geography align with China-linked intelligence priorities,” the company said in a report shared with The Hacker News.<\/p>\n

Although no overlaps have been found between OP-512 and other known China-aligned adversaries, it’s the fourth such threat group after CL-STA-0048, DragonRank, and GhostRedirector to single out IIS web servers over the past 12 months. As recently as last month, Cisco Talos revealed that multiple Chinese-speaking cybercrime groups are sharing a variant of malware called BadIIS to infect IIS servers.<\/p>\n

IIS servers have also been targeted by SHADOW-EARTH-053 as part of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia.<\/p>\n

Central to the operations of OP-512 is a custom web shell framework consisting of three web shells that grant the attackers remote access to the compromised host, while taking steps to evade signature-based detection and complicate forensic timelines using techniques like timestomping to intentionally manipulate the timestamps when the web shell artifacts are created or modified.<\/p>\n

Specifically, this entails scanning every file and sub-folder around where the web shells are placed, calculating the median last-modified timestamp, and overwriting their own creation and modification times to match that value, thus giving the impression that they have been present for some time.<\/p>\n

\"\"<\/p>\n

“This framework combines capabilities…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework https:\/\/thehackernews.com\/2026\/06\/new-threat-cluster-op-512-targets.html Publish…<\/p>\n","protected":false},"author":1,"featured_media":264899,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiab_7FEmO4woH_bG4spUNJRFCFvvmpF9ggnhOlkIf7f0Ma7z4oEwL0MxFSe4CstBBQRLFsYxObArJESQWOkwOPIQgO7m17DQFE997ZPe9hBnUPWiY-rabco7Q_OE2LYgp5UuqDfSxk8jvCJvLriBKb6OQAN9ovQbqSTOGD13SWnU3P12FTLgfvMe5sTgPN\/s1600\/chinese.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,35,32],"class_list":["post-264898","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-hacker","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/264898"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=264898"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/264898\/revisions"}],"predecessor-version":[{"id":264900,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/264898\/revisions\/264900"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/264899"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=264898"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=264898"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=264898"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}