"OP-512 was highly likely conducting espionage through a compromised Internet Information Services (IIS) web server on an organization whose sector and geography align with China-linked intelligence priorities," ReliaQuest concluded in its analysis.
ReliaQuest ties OP-512 to China-linked espionage
Researchers at ReliaQuest have identified a previously unreported threat cluster they designated OP-512 — with "OP" standing for "opponent" — and assessed with moderate to high confidence that the activity is linked to China. ReliaQuest described the activity as espionage-focused and said the targeted organization’s sector and geography align with "China-linked intelligence priorities." The company shared its report with The Hacker News.
A three-piece custom web shell framework that timestomps
Central to OP-512's operations is a bespoke web shell framework made up of three distinct web shells. According to ReliaQuest, the framework grants remote access while deploying multiple measures to evade signature-based detection and complicate forensic timelines. One notable technique is timestomping: the web shells scan every file and sub-folder around their deployment location, calculate the median last-modified timestamp, and then overwrite their own creation and modification times to match that median — creating the impression the artifacts have been present for a longer period.
ReliaQuest emphasized the framework’s unusual feature set: each deployment is uniquely generated, access is restricted through cryptographic controls, and compromised servers automatically report back for centralized management at scale. "This framework combines capabilities we rarely see together," the firm wrote.
How OP-512 infiltrated a legacy IIS host
- The observed intrusion targeted an Internet Information Services (IIS) server running Windows Server 2016 with end-of-life .NET Framework 4.0.
- ReliaQuest found evidence of prior activity on the same host roughly 75 days before the primary incident, including DNS queries to an attacker-controlled domain: ashx.lhlsjcb[.]com.
- Weeks later, in what ReliaQuest called a "sprint," the threat actor used the IIS worker process (w3wp.exe) to drop one of the web shells into the application's upload directory.
- Once in place, the web shell triggered a self-reporting mechanism: it used a DNS query or an HTTP request as a fallback to transmit the web shell’s location to an attacker-controlled domain.
After deployment, OP-512 used the three web shells to provide file management, authenticated command execution through two independent access paths, and automated reporting of the compromise. "Together, the three web shells gave the attacker file management, authenticated command execution through two independent access paths, and automated reporting of the compromise, all before anyone had time to respond," ReliaQuest said. The actor also attempted privilege escalation to SYSTEM using the Potato Suite and ran commands such as "whoami /priv" to confirm privileges.
Tactical proximity to other China-aligned clusters and the broader IIS focus
ReliaQuest noted OP-512 is the fourth distinct cluster observed to single out IIS web servers in the past 12 months, following CL-STA-0048, DragonRank, and GhostRedirector. While researchers found no direct overlaps between OP-512 and other China-aligned adversaries, they acknowledged close tactical proximity to CL-STA-0048, raising the possibility that OP-512 either represents an existing cluster that has revamped its toolset or a separate actor that developed similar capabilities independently. ReliaQuest characterized OP-512 as a distinct cluster operating autonomously.
Other reporting underscores the wider trend: last month Cisco Talos revealed that multiple Chinese-speaking cybercrime groups are sharing a variant of malware called BadIIS to infect IIS servers. Separately, the group SHADOW-EARTH-053 has targeted IIS servers as part of a China-aligned espionage campaign aimed at government and defense sectors across South, East, and Southeast Asia.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: The bespoke nature of OP-512’s framework — unique deployments, cryptographic access controls, timestomping, and automated reporting — means signature-based detection and rule sets tuned to known actors may miss these intrusions. Teams should be particularly attentive to Internet-facing IIS servers running legacy, unsupported software such as Windows Server 2016 with .NET Framework 4.0.
- Policymakers and regulators: The attribution to a China-linked espionage focus and the repeated targeting of IIS servers across multiple clusters reinforce the need to communicate risks tied to legacy public-facing infrastructure and to prioritize mitigations for systems that are end-of-life.
- Affected enterprises and procurement leaders: Four China-linked clusters targeting IIS in under a year suggests the technology remains a preferred entry point. Organizations that rely on legacy IIS deployments should consider patching, upgrading, or decommissioning unsupported stacks to reduce exposure.
ReliaQuest warned that what sets OP-512 apart is not just its target but its toolset. "What should concern defenders most is what makes OP-512 different," the firm wrote: it is not reusing commodity tooling but employing a purpose-built framework "designed to defeat the detection methods that work against the other three clusters." In short, defenders who have tuned their controls to recognized actors may find those defenses insufficient — and the question left open is whether other clusters will follow OP-512's lead in developing similarly bespoke, hard-to-detect capabilities.
