A Chinese-speaking threat actor (REF3927) exploited publicly exposed ASP.NET machine keys on IIS servers to deploy a Godzilla-forked webshell, the GotoHTTP RMM, a kernel rootkit derived from the open-source “Hidden” project, and a malicious IIS module named TOLLBOOTH that provides SEO cloaking, webshell access, and management endpoints. The campaign affected hundreds of global IIS servers, leveraged reused machine keys for initial access, and used DKOM-based hiding, RMM-based remote control, and configuration fetched from c[.]cseo99[.]com to operate. #TOLLBOOTH #Z-Godzilla_ekp
Keypoints
- Threat actors exploited IIS servers using publicly exposed ASP.NET machine keys (ViewState deserialization) to gain initial access.
- Post-compromise tooling included a Godzilla-forked webshell (Z-Godzilla_ekp), the GotoHTTP RMM, and a malicious IIS module named TOLLBOOTH.
- Operators deployed a modified “Hidden” kernel rootkit (HIDDENDRIVER) and a Chinese-language userland app (HIDDENCLI) to hide artifacts via DKOM, FS/registry filters, and IOCTL control.
- TOLLBOOTH provides SEO cloaking, link-farming, a publicly accessible webshell (/mywebdll with password hack123456!), and management endpoints that fetch per-victim configs from c[.]cseo99[.]com.
- The campaign is large-scale and largely untargeted, with 571 identified TOLLBOOTH-infected IIS victims globally (notably excluding mainland China).
- Remediation requires both removing malware/persistence and rotating/replacing compromised machine keys to prevent reinfection.
- Elastic and partners (Texas A&M, Validin) prevented execution of some components and published detection/prevention artifacts including YARA rules and detection logic.
MITRE Techniques
- [T1213] Exploitation for Client Execution – Abuse of ASP.NET ViewState deserialization using publicly exposed machine keys to execute payloads via HTTP POST (“…the __VIEWSTATE field contains a URL-encoded and Base64-encoded payload…the server will respond with an HTTP/1.1 500 Internal Server Error.”).
- [T1505] Server Software Component – Installation of a malicious IIS module (TOLLBOOTH) to modify web server behavior and provide backdoor/SEO cloaking functionality (“…the actor deployed their traffic hijacking IIS Module, TOLLBOOTH…”).
- [T1105] Ingress Tool Transfer – Use of GotoHTTP RMM and webshells to transfer and execute additional tools and payloads on compromised servers (“…the actor then uploaded and executed the GotoHTTP Remote Monitoring and Management (RMM) tool.”).
- [T1055] Process Injection / In-memory Execution – Webshell executing .NET assemblies in memory by decoding Base64 AES-encrypted POST data (“…the webshell will take the Base64-encoded AES-encrypted data from the HTTP POST request, then execute the .NET assembly in-memory.”).
- [T1003] Credential Dumping – Attempted credential dumping with Mimikatz to escalate privileges and harvest credentials (“…attempted to dump credentials using Mimikatz, but this was prevented by Elastic Defend.”).
- [T1074] Data Staged (configuration retrieval) – TOLLBOOTH dynamically retrieves per-victim configuration from c[.]cseo99[.]com/config/.json to drive SEO and redirect behavior (“TOLLBOOTH retrieves its configuration dynamically from hxxps://c[.]cseo99[.]com/config/.json…”).
- [T1218] Signed Binary Proxy Execution / Use of Valid Signed Tools – Use of legitimate RMM (GotoHTTP) to provide remote control while blending with benign traffic (“…GotoHTTP tool is a legitimate Remote Monitoring and Management (RMM) application…routing all traffic through GotoHTTP’s own platform…”).
- [T1107] File Deletion – Use of management / clean endpoints to remove local config and cache files (clean?type=conf, clean?type=all) to manage persistence and update configs (“The /clean endpoint allows the operator to clear the current configuration by deleting the config files stored locally…”).
- [T1014] Rootkit – Deployment of a kernel driver that uses DKOM and callbacks to hide processes, files, and registry entries (HIDDENDRIVER/HIDDENCLI) (“…the rootkit uses Direct Kernel Object Manipulation (DKOM) to hide its presence and maintain persistence…”).
Indicators of Compromise
- [SHA-256] Malware binaries – c1ca053e3c346513bac332b5740848ed9c496895201abc734f2de131ec1b9fb2 (caches.dll – TOLLBOOTH), 82b7f077021df9dc2cf1db802ed48e0dec8f6fa39a34e3f2ade2f0b63a1b5788 (scripts.dll – TOLLBOOTH).
- [SHA-256] Rootkit and tools – f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1 (Winkbj.sys / HIDDENDRIVER), 913431f1d36ee843886bb052bfc89c0e5db903c673b5e6894c49aabc19f1e2fc (WingtbCLI.exe / HIDDENCLI).
- [Domains] C2 / config / infrastructure – c[.]cseo99[.]com (TOLLBOOTH config server), f[.]fseo99[.]com (SEO farming config), api[.]aseo99[.]com (crawler reporting & redirector).
- [Domains] Page hijacker / payload hosts – mlxya[.]oss-accelerate.aliyuncs[.]com (next-stage JS hosting), asf-sikkeiyjga[.]cn-shenzhen[.]fcapp.run and ask-bdtj-selohjszlw[.]cn-shenzhen[.]fcapp.run (page content-fetching servers).
- [File paths & creds] Local cache/config paths and webshell creds – C:WindowsTemp_FAB234CD3-09434-8898D-BFFC-4E23123DF2C (native module cache), C:WindowsTempAcpLogs (managed module AES-encrypted cache), hardcoded webshell password hack123456! and /mywebdll & /scjg endpoints.