Ddos 
In a targeted and technically advanced cyber operation discovered in February 2025, the AhnLab Security Intelligence Center (ASEC) exposed a sophisticated campaign against South Korean web servers. The actor—suspected to be Chinese-speaking—deployed a malicious native module on Microsoft IIS servers, enabling complete control over inbound web traffic and stealthy backdoor capabilities.
The campaign began with initial access via poorly secured web servers, followed by the use of .NET loader malware and a custom web shell backdoor. The ultimate payload was a malicious IIS native module that allowed the attackers to intercept, manipulate, and redirect all HTTP requests.
“When the malicious IIS native module is loaded into the w3wp.exe process, it intercepts all HTTP requests being sent to the web server,” ASEC explains
This module was deployed using legitimate tools such as AppCmd.exe, blending seamlessly into normal administrative activity. The attacker’s installation command registered the module as “IsapiCachesModule,” specifically for 64-bit worker processes.
“As a result… the w3wp.exe process loads caches.dll, the IIS native module malware, into the memory,” ASEC notes.
The backdoored IIS module inserted hooks at three crucial points in the HTTP pipeline:
- OnGlobalPreBeginRequest
- OnBeginRequest
- OnSendResponse
These allowed the actor to exert global and granular control over web traffic. Embedded within were five malicious classes designed for covert operations:
| Class Name | Function |
|---|---|
| WebdllServer | Executes files by parsing query strings, enabling web shell actions |
| RedirectServer | Redirects victims to attacker-controlled pages |
| AffLinkServer | Injects affiliate banners via malicious cookies or parameters |
| HiJackServer | Responds to hidden URIs for health checks and configuration manipulation |
| UploadServer | Provides hidden file upload capabilities via the /mywebdll endpoint |
“Covert and powerful control and modification of the web packets requested by users can be performed across the entire IIS pipeline,” the report states.
To further conceal operations, the attackers used a Chinese-language file-hiding utility named HijackDriverManager, which leveraged the Winkbj.sys rootkit driver. This utility, with a GUI in Chinese, was used to hide kernel-level objects, making the malicious IIS module invisible to most security tools.
“The buttons in the utility’s GUI were all labeled in Chinese… used to conceal the malicious IIS module from security products.”
Also found was Gh0st RAT, a notorious Chinese APT-linked backdoor, offering full system control including file, shell, screen, audio, and keyboard management.
Finally, there is a .NET-based WebShell loader compiled dynamically by the ASP.NET runtime. A temporary DLL was created upon visiting the compromised server, decoding and decrypting Base64 data from the HTTP request body and executing it in-memory.
“It operates in a fileless form because assembly is loaded into memory… presumed that the final executed malware would have performed web shell functions.”
Cyber defenders, especially those managing web-facing IIS infrastructure, are urged to audit server configurations, monitor for abnormal module registrations, and deploy behavior-based EDR solutions to detect fileless payload execution.
Donate