EXECUTIVE SUMMARY
Recent intelligence attributes the OP‐512 cluster to a China‐aligned espionage unit that focuses on long‐term intelligence gathering. The campaign exploits web‐application servers running Microsoft Internet Information Services, especially those still hosting end‐of‐life .NET frameworks. Targets span technology providers, manufacturing and financial services in both the Asia‐Pacific region and North America, reflecting the strategic priorities of the sponsoring nation‐state. The operator's primary objective is stealthy data exfiltration and sustained access rather than immediate financial gain, using the compromised servers as footholds for deeper network infiltration.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Recent intelligence attributes the OP‐512 cluster to a China‐aligned espionage unit that focuses on long‐term intelligence gathering. The campaign exploits web‐application servers running Microsoft Internet Information Services, especially those still hosting end‐of‐life .NET frameworks. Targets span technology providers, manufacturing and financial services in both the Asia‐Pacific region and North America, reflecting the strategic priorities of the sponsoring nation‐state. The operator's primary objective is stealthy data exfiltration and sustained access rather than immediate financial gain, using the compromised servers as footholds for deeper network infiltration.[emaillocker id="1283"]
The intrusion begins with a malicious request that places a custom web shell into the IIS upload directory, each instance generated with unique cryptographic keys to evade signature detection. Once deployed, the shell immediately issues a DNS query that encodes its location, allowing the attacker to map the asset without alerting traditional network monitors. Persistent control is achieved through additional .ashx handlers protected by RSA‐RC4 authentication, while in‐memory privilege‐escalation tools elevate the compromised account to SYSTEM. Lateral movement proceeds via reflective .NET payloads, and exfiltrated data is funneled through the same covert DNS channel.
The threat's relevance stems from its focus on legacy IIS infrastructure that many organisations still expose to the internet, a surface that traditional antivirus and signature‐based solutions miss. Unique cryptographic shells and the ability to reload after process termination make detection and eradication labor‐intensive, while the persistence of compiled DLLs in ASP.NET temporary folders extends the foothold beyond the visible web files. Defences should prioritize patching or decommissioning unsupported .NET runtimes, segmenting web servers from core networks, hardening upload paths, and monitoring anomalous DNS queries. Rapid host isolation and behavior‐based endpoint monitoring further reduce dwell time and limit lateral spread.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| Privilege Escalation | T1055.001 | Process Injection | Dynamic-link Library Injection |
| Command and Control | T1573.002 | Encrypted Channel | Asymmetric Cryptography |
| Command and Control | T1071.004 | Application Layer Protocol | DNS |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol | Exfiltration Over Unencrypted Non-C2 Protocol |
REFERENCES:
The reports contain further technical details:
https://reliaquest.com/blog/threat-spotlight-reliaquests-agentic-ai-uncovers-new-china-linked-cluster-op-512/
https://cybersecuritynews.com/new-china-linked-threat-cluster-op-512-targets-iis-servers