The bottom line: Threat group OP-512 is deploying proprietary web shells on IIS systems, presumed to be for espionage purposes with a Chinese nexus.
Cybersecurity researchers have identified a previously unknown threat group named OP-512 that is actively targeting Microsoft IIS servers (Internet Information Services) and deploying a custom-built web shell framework. ReliaQuest assesses the activities with medium to high confidence as linked to China.
Security researchers have discovered threat group OP-512, which specializes in attacks against Microsoft IIS installations. The group deploys a bespoke web shell framework to establish persistence and remote access on compromised systems.
According to ReliaQuest’s assessment, the activities are linked with high to medium confidence to Chinese state interests. The approach indicates espionage operations in which attackers deliberately search for sensitive data on infected servers.
The custom web shell represents an escalation factor: it allows attackers deep control over the IIS server and significantly complicates detection by conventional security solutions. CISOs should audit their IIS environments for suspicious web shells and review patch compliance and access control policies.
Source: thehackernews.com · Published June 5, 2026
Lumi AI News — AI-assisted curation according to Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.6.5.