Chinese Hackers Exploit Exposed ASP.NET Keys to Deploy TOLLBOOTH IIS Backdoor and Kernel Rootkit

Researchers from Elastic Security Labs, in collaboration with Texas A&M University System (TAMUS) Cybersecurity, have uncovered a Chinese-speaking threat actor conducting a widespread campaign targeting misconfigured Microsoft IIS servers. The adversary deployed a malicious IIS module dubbed “TOLLBOOTH”, a modified “Hidden” rootkit, and a Godzilla-forked webshell framework to maintain persistence and hide its operations.

“Threat actors are abusing misconfigured IIS servers using publicly exposed machine keys,” Elastic stated, adding that “the main objective appears to be to install an IIS backdoor, called TOLLBOOTH, that includes SEO cloaking and webshell capabilities.”

Elastic’s joint investigation revealed that the attackers exploited ASP.NET machine keys—cryptographic secrets used to protect authentication cookies and ViewState data—that had been carelessly published online, including on Microsoft documentation and StackOverflow.

By leveraging these publicly exposed keys, the attackers could forge serialized payloads and execute arbitrary commands through ViewState deserialization attacks.

“We have reason to believe this is part of an opportunistic campaign targeting Windows web servers using publicly exposed machine keys,” the researchers wrote, describing it as a large-scale, automated operation abusing shared configuration keys across geographies and industries.

Elastic and TAMUS identified the activity cluster as REF3927, connecting it to campaigns previously documented by Microsoft in February and AhnLab in April, both involving similar malware toolsets and behaviors.

Once a vulnerable IIS server was compromised, the attackers deployed webshells, including a modified Godzilla framework—named Z-Godzilla_ekp—to establish persistence and execute commands remotely. This customized variant features an AMSI bypass plugin and encrypted communications designed to mimic normal web traffic.

“The Z-Godzilla_ekp toolkit provides operators with privilege escalation, file management, credential theft, and in-memory payload execution,” Elastic explained. “Its traffic is AES-encrypted and embedded within HTTP POST parameters to blend into legitimate network activity.”

When initial persistence methods failed, the threat actor deployed GotoHTTP, a legitimate Remote Monitoring and Management (RMM) tool, allowing them to control the compromised system directly through a web browser over HTTPS—bypassing conventional network detection mechanisms.

At the center of the campaign is TOLLBOOTH, a malicious IIS module capable of traffic hijacking, SEO cloaking, and command execution.
Elastic’s analysis identified both native and .NET versions of the module, each dynamically configured via JSON files retrieved from the attacker’s server at c.cseo99[.]com.

The backdoor exposes a webshell interface located at /mywebdll protected by the password hack123456!, allowing the attacker to upload files and execute commands.
TOLLBOOTH also contains multiple management endpoints (/health, /debug, /clean) for monitoring and updating the module, and a built-in SEO cloaking engine to disguise its activity.

“The main goal of TOLLBOOTH is SEO cloaking,” Elastic explained. “It presents keyword-optimized content to search engine crawlers, while redirecting human visitors to fraudulent or malicious pages.”

By differentiating between search engine bots and human visitors, the module manipulates site rankings and directs unsuspecting users to malicious domains—an approach Elastic called a “link farm network” used to propagate malware and monetize traffic across infected sites.

The attackers also deployed a kernel-mode rootkit based on the open-source project “Hidden”, rebranded as HIDDENDRIVER.
Elastic’s reverse engineering revealed that the rootkit uses Direct Kernel Object Manipulation (DKOM) to hide processes, files, and registry keys from system monitoring tools like Process Explorer.

“The rootkit’s InitializeStealthMode hides every artifact associated with the malware, including registry keys, the .sys driver file, and related components,” Elastic noted.

Additionally, the userland companion app HIDDENCLI, written in Chinese, manages the rootkit’s operations, adding or removing hidden objects via IOCTL commands.

The modifications to the original “Hidden” project included automatic process whitelisting and enhanced anti-detection logic, indicating the threat actor’s technical sophistication.

In collaboration with Validin’s global scanning infrastructure, Elastic and TAMUS identified 571 IIS servers worldwide infected with TOLLBOOTH, spanning industries from finance and logistics to government and academia.

Interestingly, no victims were located in mainland China, aligning with typical geofencing patterns used by Chinese-speaking actors to avoid domestic exposure.

“The geographic distribution of victims notably excludes any servers within China’s borders,” the report confirmed. “This aligns with behaviors seen in other criminal threats that implement mechanisms to avoid targeting their home countries.”

Elastic also observed repeated reinfections, suggesting that many organizations removed the malware without addressing the underlying configuration flaw—the reuse of public machine keys.

Related Posts:

• Sophisticated IIS Malware Targets South Korean Web Servers
• Cybercriminals Mimic Slack in Sophisticated Malvertising Campaign
• Publicly Disclosed ASP.NET Machine Keys Used in Code Injection Attacks
• Web of Deceit: Unmasking the Hidden Threat of Stockpiled Domains
• Microsoft releases January Patch Tuesday to fix 56 security issues