China-Linked OP-512 Deploys Cryptographic Web Shells on IIS Servers

A newly identified China-linked threat cluster called OP-512 is compromising Microsoft IIS servers using a custom three-part web shell framework that generates cryptographically unique deployments for each victim. ReliaQuest published their findings on June 5 after their AI-assisted threat hunting platform flagged the activity.

The group's anti-forensics techniques are unusually sophisticated. Each web shell timestamps itself to match surrounding files, making it nearly impossible to identify when the compromise actually occurred.

The Three-Part Framework

OP-512's toolset consists of three distinct web shells working together:

Component 1: The Stager - A minimal foothold that validates attacker credentials before loading additional functionality. It uses layered encryption to ensure only the operators can access it.

Component 2: The Manager - Provides file system access, command execution, and lateral movement capabilities. This is where the actual post-exploitation work happens.

Component 3: The Reporter - Automatically sends DNS queries or HTTP callbacks to attacker-controlled infrastructure when a new compromise succeeds. This gives operators centralized visibility across all their victims.

The combination means OP-512 can deploy at scale, automatically track successful compromises, and maintain persistent access without manual intervention. Organizations should review our malware identification guide to understand how these persistent threats operate.

How They Evade Detection

The timestomping technique ReliaQuest observed is clever. When the web shells land on a server, they scan every file in their directory, calculate the median last-modified timestamp across all those files, and overwrite their own creation and modification times to match.

Security teams reviewing file system artifacts see web shells that appear to have existed for months or years. Standard forensic timelines become unreliable.

ReliaQuest researchers noted an updated variant that takes evasion further: "embeds the stager in encrypted web.config sections and communicates via legitimate cloud services like Microsoft Graph API to mask C2 traffic."

Hiding command-and-control inside Graph API requests means the traffic looks like normal Microsoft 365 activity. Most network monitoring tools won't flag it.

Target Profile

The intrusion ReliaQuest analyzed targeted a Windows Server 2016 system running .NET Framework 4.0—both end-of-life products. Evidence indicated the attackers had intermittent access for at least 75 days before escalating to more aggressive activity.

That dwell time matters. OP-512 appears patient, establishing access and maintaining it quietly before moving toward their actual objectives. This pattern aligns with espionage operations rather than financially-motivated attacks.

After gaining initial access, the group used the Potato Suite toolkit to escalate privileges to SYSTEM, then confirmed their access with standard enumeration commands. This privilege escalation pattern mirrors techniques we documented in the LiteLLM exploitation chain.

Attribution

ReliaQuest assesses the China link with "moderate to high confidence." They haven't published specific attribution indicators, but the targeting profile, tooling sophistication, and operational patterns match known Chinese APT behavior.

The attacker-controlled domain ashx.lhlsjcb[.]com appeared in the campaign's command-and-control infrastructure. Organizations can check for indicators using MITRE ATT&CK's web shell documentation.

Why This Matters

Web shells remain one of the most persistent threats to internet-facing Windows infrastructure. We covered similar persistent access techniques used by Phantom Taurus last week, where Chinese operators maintained long-term access to victim networks across Africa and Asia.

OP-512's framework represents an evolution in web shell deployment. The cryptographic uniqueness means signature-based detection fails. The automatic reporting means operators don't need to manually track their infrastructure. The timestomping means forensic analysis produces misleading results.

Organizations running legacy IIS infrastructure should assume they're targets. That means:

1. Audit .NET Framework versions and upgrade beyond 4.0
2. Review web.config files for encrypted sections you don't recognize
3. Monitor for Graph API usage from unexpected server processes
4. Compare file timestamps against Windows event logs to identify anomalies

The 75-day dwell time before escalation suggests OP-512 has probably compromised more organizations than have detected them. If you haven't looked for this activity specifically, now would be a good time to start.