OP-512: China-Linked Hackers Hit IIS Servers With New Tool

An AI Agent Spots What Analysts Might Have Missed

ReliaQuest Threat Research has identified a new espionage group it calls OP-512, and the discovery itself is part of the story. According to the report, ReliaQuest’s Agentic AI stitched together a high volume of seemingly unrelated suspicious events across a customer’s environment into one high-priority incident. Human analysts then reviewed and confirmed the findings, revealing a coordinated intrusion on a compromised Internet Information Services (IIS) server.

A New Name in a Crowded Field

The OP-512 China-linked cluster is assessed with moderate-high confidence as a previously undocumented group. It’s at least the fourth China-linked operation found targeting IIS servers over the past year, joining the ranks of CL-STA-0048, GhostRedirector, and DragonRank. However, its tooling doesn’t match any of them cleanly.

There’s overlap worth noting. Both OP-512 and CL-STA-0048 use hex-encoded DNS subdomain queries, an unusual technique. Yet the purposes differ. CL-STA-0048 uses this method to exfiltrate stolen data, while OP-512 uses it to report a freshly deployed web shell’s location back to its operators. Researchers therefore suspect shared tooling or training across a broader ecosystem, even while tracking these groups separately.

Patience, Then a Burst of Activity

The compromised server ran Windows Server 2016 with an end-of-life .NET Framework 4.0, unsupported since 2016. Telemetry showed the same host had been flagged for web shell activity 75 days earlier. Rather than abandoning the target, the attacker returned and moved fast.

Within seconds of dropping the first web shell, a self-reporting mechanism activated, sending the file’s location via DNS query, with an HTTP fallback if that failed. Two more web shells followed shortly after, giving the attacker file management and two separate authenticated command channels.

Built to Beat Signature Detection

What sets OP-512 apart is its custom web shell framework. Each deployment is cryptographically unique, using RSA signature verification and RC4 encryption, plus timestomping to make files appear years old. The command handlers were generated from what looks like an automated builder: identical logic, but randomized variable names and junk code in each copy, producing different file hashes every time.

The attacker also loaded privilege escalation tools, including pieces of the “Potato Suite,” straight into the web server’s memory without touching disk. Commands like whoami were issued in base64, matching strings previously seen in a separate China-linked Flax Typhoon incident, another data point suggesting a shared playbook.

When Prevention Isn’t Enough

Endpoint protection did terminate the malicious process, but IIS automatically restarts crashed worker processes. The attacker’s tools simply reloaded each time, creating a loop that prevention alone couldn’t break. Four malicious DLLs compiled from the web shells were later found in the ASP.NET temporary directory, persisting even after the original files were removed.

For the full technical breakdown, including code comparisons of the RC4 routines, ReliaQuest has published its complete analysis of the OP-512 cluster.

What Defenders Should Do Now

Organizations running legacy .NET frameworks on internet-facing IIS servers should treat this as urgent. Migration or network segmentation should be prioritized immediately. Because the OP-512 China-linked cluster relies on cryptographic uniqueness rather than reusable signatures, defenders need behavioral detection, particularly around reflective .NET assembly loading and unusual DNS query patterns, to catch this kind of activity before it embeds further.