$ research-item --score 25 --exploit none

New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework

Research page generated from configured evidence sources. Treat this as an analyst workbench: facts are sourced, gaps are labelled, and low-confidence chatter is separated from confirmed evidence.

Executive judgement

  • Priority score: 25
  • Confidence: high
  • Exploit status: none — No public exploitation signal captured by the configured pipeline yet.
  • CISA KEV: No CISA KEV match captured in configured source data at generation time.
  • Published/observed: 2026-06-05

What happened

Cybersecurity researchers have discovered a previously unreported threat cluster dubbed OP-512 that has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework. ReliaQuest has assessed with moderate to high confidence that the espionage-focused activity is linked to China. “OP-512 was highly likely conducting espionage through a

Why it matters

  • The item was promoted because the pipeline observed: priority score 25, exploit status none, confidence high.
  • No CVE was extracted from the source story yet, so this should be treated as a news/campaign cluster until primary technical identifiers are found.
  • No PoC signal was detected by the current pipeline unless shown elsewhere on this page.

Evidence collected

Exploitation and PoC status

  • Current automated assessment: No public exploitation signal captured by the configured pipeline yet.
  • Public exploit/PoC: No PoC source captured yet by the configured pipeline.
  • Exploited in the wild: Not confirmed by configured sources at generation time.
  • Ransomware association: No ransomware association captured at generation time.

Dark web / low-confidence chatter

Defender actions

  • Scan all Microsoft IIS servers for anomalous web files (e.g., .aspx, .ashx, .asmx) in web directories using tools like Microsoft Safety Scanner or webshell scanners (e.g., NeoPI). Focus on files with recent timestamps.
  • Harden IIS by disabling unnecessary HTTP modules (e.g., WebDAV) and request filtering, and implement strict IP restrictions in web.config files for administrative paths.
  • Enable and review IIS Failed Request Tracing logs for patterns of OP-512 TTPs, such as requests to uncommon file paths with specific parameters indicative of web shell communication.

Exposure validation ideas

  • Search asset inventory for affected vendor/product names and any CVE reference.
  • Check internet-facing exposure through approved tools only: Shodan/Censys/GreyNoise links below are research starting points, not proof of exposure.
  • Prioritise management interfaces, edge devices, identity/control-plane systems, and OT/ICS assets where relevant.

Detection / hunting ideas

  • Review vendor logs for authentication failures, privilege changes, unexpected admin activity, and anomalous management-plane access.
  • Search SIEM/EDR telemetry for product-specific process names, network services, and newly published indicators from primary sources.
  • Monitor for scanner traffic or nuclei/metasploit module references once public exploit tooling appears.

Open questions

  • Is there a primary vendor advisory with exact affected versions and fixed versions?
  • Has CISA KEV, Shadowserver, GreyNoise, or a trusted vendor confirmed exploitation?
  • Are there credible PoC repositories or only secondary reporting mentioning PoC?
  • Is there underground/forum/leak-site discussion, or only public reporting?

Generated: 2026-06-05T14:22:31+00:00

← back to today