Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

OP-512 Microsoft IIS espionage campaign

Campaign
First reported
Last updated
Happening score
H score 52
1 unique sources, 1 articles

Summary

Hide ▲

OP-512 is an active espionage campaign targeting Microsoft IIS servers with a bespoke web shell framework, increasing the risk of stealthy remote access on exposed legacy systems. The activity was assessed as China-linked and appears tuned to organizations whose sector and geography fit those intelligence priorities. The campaign stands out for using custom tooling, timestomping, and DNS/HTTP self-reporting to reduce detection and preserve access.

Related Happenings

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets

Campaign
First: 01.05.2026 17:02 Last: 01.05.2026 17:02 Sources 1

About this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...

Open Happening

CL-UNK-1068 years-long espionage campaign targeting Asian organizations

Campaign
First: 09.03.2026 09:21 Last: 09.03.2026 09:21 Sources 1

About this happening: A **Chinese threat actor** is linked to a **years-long espionage campaign** against **high-value organizations in South, Southeast, and East Asia**, creating persistent risk for c...

Open Happening

UAT-8099 IIS SEO fraud campaign targeting vulnerable Asia-based IIS servers

Campaign
First: 30.01.2026 14:08 Last: 30.01.2026 14:08 Sources 1

About this happening: **UAT-8099** launched a **late 2025 to early 2026** campaign against **vulnerable IIS servers** across **Asia**, with the strongest concentration in **Thailand and Vietnam**. The...

Open Happening

BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam

Malware Activity
First: 30.01.2026 14:08 Last: 30.01.2026 14:08 Sources 1

About this happening: **BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...

Open Happening

Timeline

  1. 05.06.2026 15:33 2 articles · 10h ago

    OP-512 targets Microsoft IIS servers with a custom web shell framework

    Initial Disclosure

    ReliaQuest identified OP-512 as a previously unreported threat cluster targeting Microsoft Internet Information Services (IIS) servers with a bespoke web shell framework. The activity was assessed as highly likely espionage linked to China, and the observed intrusion used w3wp.exe to drop a web shell, then relied on DNS/HTTP self-reporting, timestomping, and Potato Suite privilege escalation attempts on a legacy Windows Server 2016 host running end-of-life .NET Framework 4.0.

    Show sources
    Open in new tab