New China-Linked Threat Cluster OP-512 Targets IIS Servers With

A newly identified threat cluster, dubbed OP-512, with suspected ties to China, is actively targeting Internet Information Services (IIS) web servers. This group employs a purpose-built web shell framework in its operations, according to Tracked as OP-512, this group stands out for deploying tools designed to evade every detection method that works against similar China-linked actors. The discovery marks another escalation in a growing pattern of state-aligned espionage against legacy server infrastructure.

What makes OP-512 especially alarming is its patience. Investigators found evidence that the attacker first accessed the targeted server 75 days before the main intrusion was discovered.

Rather than acting quickly and risking detection, the actor waited, then returned to deploy its full arsenal within hours, a hallmark of state-sponsored espionage.

Analysts at ReliaQuest identified this new cluster after their Agentic AI system stitched together a high volume of seemingly unrelated suspicious events into one high-priority incident.

Threat research experts then reviewed and validated the findings. The targeted organization’s sector and geography aligned with China-linked intelligence priorities, adding weight to the attribution.

According to a report shared with Cyber Security News (CSN), ReliaQuest assessed with moderate-high confidence that OP-512 is a new, previously undocumented actor.

At the center of the operation is a custom web shell framework made up of three malicious files that give attackers remote access through a web browser.

Each deployment is cryptographically unique, meaning traditional signature-based tools cannot reliably detect it. Every installation generates a completely different file fingerprint, making many common defenses ineffective.

The compromised server was running Windows Server 2016 with a .NET Framework version that has not received security updates since 2016.

OP-512 is at least the fourth China-linked cluster documented targeting legacy IIS servers in the past year, confirming that outdated, internet-facing infrastructure remains a preferred entry point for espionage.

New China-Linked Threat Cluster OP-512 Targets IIS Servers

Once inside the server, OP-512 moved quickly to establish control. The web server’s worker process wrote the first web shell to an upload directory, a .aspx file manager with a built-in command-and-control notification channel.

Within seconds, it encoded its own URL and transmitted that location through two independent channels: a DNS query and, as a fallback, an HTTP request to a backup server linked to known Meterpreter infrastructure.

Two .ashx command handler files were then deployed to the same directory, each generated with a different cryptographic key. Compromising one could not grant access through the other.

The system was built so each web shell looks unique, operates securely, and reports back automatically. The attacker could drop the files and walk away, knowing their infrastructure would track everything.

The framework also used timestomping, where file timestamps are manipulated to match those of legitimate files already on the server.

A file planted in 2026 was made to appear as though it had existed since 2022, directly undermining a standard forensic technique investigators rely on to spot recently dropped artifacts.

Privilege Escalation and Persistent Access

With web shells in place, OP-512 loaded four exploitation toolkits directly into the server’s process memory, leaving nothing written to disk.

Three came from the publicly known “Potato Suite,” which abuses built-in Windows services to escalate access from a limited service account to full system-level control.

A fourth toolkit appeared in telemetry as “GhostKit,” though no public documentation exists for a tool by that name.

Endpoint protection did terminate the malicious process when suspicious behavior was detected. However, IIS automatically restarts worker processes when they stop, so the attacker’s tools reloaded within minutes.

Prevention fired repeatedly but the intrusion continued, highlighting a critical gap: stopping a process without isolating the host only delays, rather than stops, an attacker operating through IIS.

Defenders are advised to retire or isolate internet-facing servers running end-of-life .NET frameworks immediately.

Organizations should disable script execution in upload directories, monitor ASP.NET compilation directories for unexpected file creation, and apply web application firewall rules.

Incident teams should not close a case until the entry point is confirmed and fixed, since removing web shells alone does not address the underlying vulnerability.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.