EXECUTIVE SUMMARY
A China-linked threat cluster, known as OP-512, has been identified as a significant threat to organizations, particularly those with legacy Internet Information Services (IIS) servers. The attackers' primary goal is espionage, targeting sectors and regions aligned with China's intelligence priorities. The threat cluster uses a custom web shell framework to gain remote access to compromised servers, with the ability to evade detection through cryptographic controls and restricted access.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A China-linked threat cluster, known as OP-512, has been identified as a significant threat to organizations, particularly those with legacy Internet Information Services (IIS) servers. The attackers' primary goal is espionage, targeting sectors and regions aligned with China's intelligence priorities. The threat cluster uses a custom web shell framework to gain remote access to compromised servers, with the ability to evade detection through cryptographic controls and restricted access.[emaillocker id="1283"]
The OP-512 threat cluster infects systems through compromised IIS servers, often running end-of-life .NET frameworks. Once inside, the attackers deploy web shells, establish command channels, and escalate privileges using post-exploitation toolkits. The web shell framework is uniquely generated for each deployment, making signature-based detection ineffective.
The attackers use DNS-based covert signaling to report the location of the web shell back to their infrastructure, allowing for centralized management and control. Organizations running legacy IIS servers with end-of-life .NET frameworks are at significant risk from this threat cluster. To defend against OP-512, organizations should prioritize migration or segmentation of these servers, restrict upload functionality, and apply web application firewall rules. Incident responders should also hunt for and clear ASP.NET temporary compilation directories, as malicious DLLs can persist even after web shell removal. Automated containment and detection rules can help reduce the mean time to contain (MTTC) and prevent further exploitation.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| Privilege Escalation | T1055.001 | Process Injection | Dynamic-link Library Injection |
| Command and Control | T1071.004 | Application Layer Protocol | DNS |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Command and Control | T1573.001 | Encrypted Channel | Symmetric Cryptography |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol | Exfiltration Over Unencrypted Non-C2 Protocol |
REFERENCES:
reports contain further technical details:
https://securityonline.info/op-512-china-linked-iis-web-shell/
https://reliaquest.com/blog/threat-spotlight-reliaquests-agentic-ai-uncovers-new-china-linked-cluster-op-512