China-linked OP-512 Threat Cluster Targets Microsoft IIS Servers
Severity: High (Score: 72.5)
Sources: Scworld, Feeds.4Sysops
Published: · Updated:
Keywords: threat, cluster, op-512, microsoft, servers, identified, actively
Summary
The OP-512 threat cluster has been identified as actively targeting Microsoft Internet Information Services (IIS) servers, with a focus on espionage. Researchers attribute this activity to China, marking it as the fourth group to exploit IIS vulnerabilities in the past year. OP-512 employs a sophisticated web shell framework consisting of three distinct web shells, designed for remote access while avoiding detection. The group uses techniques like timestomping to manipulate file timestamps and blend in with legitimate files. Targeted systems include legacy IIS servers, such as those running Windows Server 2016 with outdated .NET Frameworks. The attack method involves dropping a web shell via the server's worker process, which reports its location to an attacker-controlled domain. Additionally, OP-512 attempts privilege escalation to the SYSTEM level using the Potato Suite. The advanced tooling suggests a deliberate design to evade defenses against known China-linked groups, creating significant challenges for defenders relying on signature-based detection. Key Points: • OP-512 targets legacy Microsoft IIS servers, focusing on espionage. • The group uses a custom web shell framework with advanced evasion techniques. • This marks the fourth China-linked group exploiting IIS vulnerabilities in the past year.
Detailed Analysis
**Impact** Organizations running legacy Microsoft IIS servers, particularly those using Windows Server 2016 with outdated .NET Framework versions, are targeted. The activity is espionage-focused and aligns with Chinese intelligence priorities. The scope includes multiple sectors but specific numbers, geographies, or affected industries are not detailed in the sources. **Technical Details** OP-512 deploys a custom web shell framework with three distinct web shells, delivered via the IIS worker process. The group uses timestomping to evade detection and employs cryptographic access controls and automated reporting to attacker-controlled domains. Privilege escalation attempts utilize the Potato Suite to gain SYSTEM-level access. The cluster targets legacy IIS servers and uses unique tooling designed to bypass signature-based defenses. No specific CVEs or IOCs were provided. **Recommended Response** Apply patches and updates to IIS servers and the .NET Framework to address legacy vulnerabilities. Monitor for unusual web shell activity, especially related to worker process file drops and anomalous network communications to unknown domains. Implement detection rules for timestomping and privilege escalation attempts involving the Potato Suite. Block known attacker-controlled domains if identified.
Source articles (2)
- New OP — Feeds.4Sysops · 2026-06-05
A new threat cluster identified as OP-512 is actively targeting Microsoft Internet Information Services (IIS) servers to deploy a sophisticated web shell framework. Researchers believe the group is fo… - New China-linked threat cluster OP-512 targets Microsoft IIS servers | brief — Scworld · 2026-06-05
As detailed in The Hacker News, a newly identified threat cluster named OP-512 has been observed actively targeting Microsoft Internet Information Services (IIS) servers. ReliaQuest researchers assess…
Timeline
- 2026-06-05 — OP-512 threat cluster identified: Researchers report OP-512 targeting Microsoft IIS servers with a custom web shell framework for espionage.
- 2026-06-05 — Espionage focus confirmed: The OP-512 group is believed to select targets aligned with Chinese intelligence priorities.
Related entities
- Malware (Attack Type)
- China (Country)
- T1068 - Exploitation for Privilege Escalation (Mitre Attack)
- T1070.006 - Timestomp (Mitre Attack)
- T1071 - Application Layer Protocol (Mitre Attack)
- T1505.003 - Web Shell (Mitre Attack)
- Potato Suite (Tool)