EXECUTIVE SUMMARY:
A widespread campaign, attributed to the RudePanda threat actor, has been observed that compromises Internet Information Services (IIS) hosts by abusing exposed ASP.NET cryptographic secrets and deploying a persistent, unauthenticated web-server module that grants remote command execution and is used to manipulate web traffic for search-engine-related fraud. Multiple variants of the module and companion tooling were discovered across many systems, indicating an automated operation that leverages publicly available components and a customised rootkit to maintain persistence and hinder discovery.
The intrusion chain begins with crafted POSTs that exploit deserialized viewstate when the applications machineKey values are known. After achieving code execution, operators used local privilege-escalation techniques to create hidden administrative access, dropped a GUI-capable remote access tool, then installed custom IIS modules from a packaged archive. To hinder discovery, they also attempted to remove Windows event logs and deployed a user-mode rootkit to hide the malicious modules. The deployed module family exposes an unauthenticated persistent backdoor capable of remote command execution and was observed as part of a broad campaign infecting large numbers of servers.
This underscores the ongoing risk posed by legacy IIS servers and the reuse of old cryptographic secrets, even for non-strategic, opportunistic targets such as SMBs or personal sites. The deployed tools provide full unauthenticated access and persistent presence via rootkit and modules, meaning that even once a vulnerability is patched the compromised host remains exposed. It operates Internet-facing IIS applications should assume a potential breach: rotate ASP.NET machine keys, audit for unknown IIS modules, review logs and ensure event logs have not been wiped or tampered with.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | - |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1505.003 | Server Software Component | Web Shells |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | - |
| Defense Evasion | T1070.001 | Indicator Removal on Host | Clear Windows Event Logs |
| T1014 | Rootkit | - | |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials in Files |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Impact | T1565.001 | Data Manipulation | Stored Data Manipulation |
REFERENCES:
The following reports contain further technical details: