Cybersecurity researchers uncovered OP-512, a previously unreported threat cluster linked with moderate to high confidence to China, which targeted Microsoft IIS servers to deploy a custom web shell framework. The group used multiple evasive techniques, including timestomping and automated self-reporting, to maintain stealth and support espionage operations on legacy, internet-facing systems. #OP-512 #MicrosoftIIS #ReliaQuest #WindowsServer2016 #PotatoSuite
Keypoints
- OP-512 is a newly identified threat cluster targeting Microsoft IIS servers.
- ReliaQuest links the activity to China with moderate to high confidence.
- The attackers used a custom three-web-shell framework for remote access and management.
- Timestomping and fallback reporting helped OP-512 evade detection and hide its timeline.
- The campaign targeted a legacy Windows Server 2016 IIS host with end-of-life .NET Framework 4.0.
Read More: https://thehackernews.com/2026/06/new-threat-cluster-op-512-targets.html