OP-512 — China-linked cluster, cryptographically-unique self-reporting IIS web-shell framework

ReliaQuest documented OP-512, a previously-unreported China-linked espionage cluster targeting internet-facing Microsoft IIS servers running end-of-life .NET Framework 4.0 (ReliaQuest, 2026-06-05) [SINGLE-SOURCE — ReliaQuest original disclosure]. The framework is a three-component web shell — one .aspx file manager plus two .ashx command handlers — that is per-deployment cryptographically unique (RSA signatures and RC4 keys differ per installation), defeating signature-based detection. It carries a timestomping module that matches shell file timestamps to surrounding legitimate IIS artefacts (T1070.006 Timestomp), uses reflective .NET assembly loading to bypass static scanning (T1620), and implements a novel self-reporting beacon: the deployed shell's URL is hex-encoded into a DNS subdomain query issued from w3wp.exe, so the operator is notified of a live shell without actively scanning for it. ReliaQuest found initial access roughly 75 days before the shell was deployed, consistent with patient espionage tradecraft, and notes overlap with the hex-encoded-DNS technique seen in CL-STA-0048 while assessing OP-512 as a separate cluster.

Why it matters to us: Many Swiss and EU public-sector estates still run legacy IIS/ASP.NET portals and intranet apps on .NET 4.0 — exactly OP-512's stated footprint. The detection lesson is concrete: filesystem timestamps are useless for triage here (timestomped), so hunt on behaviour instead — w3wp.exe issuing long hex-string DNS subdomain queries, w3wp.exe spawning cmd.exe/powershell.exe/csc.exe (Sysmon EID 1), reflective-assembly loads, and .aspx/.ashx writes into web roots (Windows Security EID 4663 on inetsrv paths). Hardening: isolate or retire .NET 4.0 servers and apply WDAC/AppLocker to block execution of unsigned web-root artefacts.

Volexity attributes an incident-response case at a European organisation to a China-linked actor it tracks as VerdantBamboo (assessed with high confidence as UNC5221, also WARP PANDA), with access dating back at least 18 months (Volexity, 2026-06-04). Initial access came through the victim's MSP: the actor had planted a BSD build of the BRICKSTORM Golang backdoor on the MSP's pfSense firewall. The defining tradecraft is deliberate EDR avoidance — every implant sat on appliances that cannot run an endpoint agent (firewall, Synology NAS, a retired GroupWise server) or on an Egnyte Storage Sync Linux VM. BRICKSTORM's proxy capability on the Storage Sync host let the actor route authentication to the victim's M365 tenant through that appliance's trusted egress IP, defeating Conditional Access rules that would have blocked an unrecognised source address (T1090 internal proxy, T1078.004 cloud accounts). After Volexity's first remediation, VerdantBamboo simply re-authenticated to the firewall with stolen admin credentials, re-enabled SSL VPN, and redeployed BRICKSTORM to the NAS — alongside two previously undocumented implants: AGENTPSD (a PyInstaller-packaged Python HTTPS reverse shell kept as a fallback) and PLENET/GRIMBOLT (a .NET Native AOT backdoor on a Linux NAS).

Why it matters to us: this is the precise threat model a federal SOC carries — an MSP relationship plus a fleet of edge appliances that are invisible to EDR by design. Detection has to move off the endpoint: hunt M365 sign-in logs for interactive auth originating from the egress IPs of NAS / storage-sync / firewall appliances (those should never originate user logins), alert on SSL-VPN re-enablement and admin auth to perimeter devices, and treat any appliance the vendor forbids you from instrumenting as an assumed-breach surface. Mandate MFA on all firewall management and SSL-VPN interfaces, and put the MSP's access to your perimeter under the same scrutiny as a privileged insider. [SINGLE-SOURCE] — Volexity primary IR (see § 7).

Proofpoint reports that TA4922, a Chinese-speaking, financially-motivated cluster it assesses as running the highest campaign tempo of any cybercrime actor it tracks, expanded in March–April 2026 from its historical Japanese focus to localised campaigns against UK, German, Italian and South African organisations (The Hacker News, 2026-06-04; BleepingComputer, 2026-06-04). Lures are carefully tailored in the target's native language — tax-authority, HR/payroll and invoice themes — and the toolkit now pairs the known ValleyRAT (Winos 4.0) with newly observed families: Atlas RAT (a C-based RAT) and RomulusLoader, which DLL-side-loads (T1574.002) AnyDesk and SyncFuture, plus SilentRunLoader, a Python infostealer pulling Chrome credentials and cookies (T1555.003). A notable TTP shift is the deliberate move of conversations to LINE, WhatsApp and Microsoft Teams to pull targets off enterprise email controls before payload delivery.

Why it matters to us: German and UK targeting with native-language tax/payroll lures puts DACH public-sector and finance staff squarely in scope. Hunt for DLL side-loading chains where trusted binaries (AnyDesk, SyncFuture) load from unexpected working directories, for Python processes reaching DPAPI / Chrome credential stores, and for unsolicited inbound contact on LINE/WhatsApp/Teams that pivots to a "document" — the out-of-band channel is where the email gateway loses visibility.

ESET Research published a technical analysis on 2026-05-20 of Webworm — also tracked as FishMonger / Aquatic Panda / SixLittleMonkeys / Space Pirates — documenting a 2025 campaign pivot to European governmental organisations in Belgium, Italy, Serbia and Poland, plus a South African university; the group has abandoned its prior primary backdoors (Trochilus RAT, McRat / 9002 RAT) in favour of two new custom implants — EchoCreep (which ESET describes as written in Go) and GraphWorm (ESET WeLiveSecurity, 2026-05-20). EchoCreep uses Discord as a bidirectional C2 channel, encoding commands with base64 + AES-CBC-128; it creates per-victim Discord channels named after the victim IP (or IP+hostname), supports file upload/download and cmd.exe command execution, and ESET recovered 433 decrypted Discord messages dating back to 2024-03-21 from four unique victim channels (T1102.002 Web Service: Bidirectional Communication, T1059.003 Windows Command Shell). GraphWorm is more capable: an implant (implementation language not stated in the ESET write-up) that authenticates against the Microsoft Graph API and uses per-victim OneDrive directories for C2, with /createUploadSession for large-file exfiltration and AES-256-CBC + base64 encoding on uploaded data (T1102.002, T1071.001 Application Layer Protocol — Web Protocols); it persists at logon and spawns cmd.exe sessions under the implant's process context. The custom proxy toolkit added in 2025 includes WormFrp (a modified frp that pulls its config from a compromised AWS S3 bucket wamanharipethe.s3.ap-south-1.amazonaws.com), ChainWorm (multi-hop chaining), SmuxProxy, and WormSocket (socket.io-based proxy); a SharpSecretsdump Impacket-look-alike credential dumper was uploaded to the same S3 bucket in October 2025 (T1003.001 OS Credential Dumping: LSASS Memory) (ESET, 2026-05-20; The Hacker News, 2026-05-20). Files exfiltrated from victims and staged in the S3 bucket included virtual-machine snapshots from an Italian governmental entity and an mRemoteNG connection-configuration file plus a Microsoft Visio infrastructure diagram from a Spanish governmental entity — both documents that materially aid follow-on intrusion. Initial-access tradecraft documented against Serbian targets used CVE-2017-7692 (SquirrelMail post-auth RCE), implying credential theft preceded webmail exploitation. Why it matters to us: the cloud-API C2 design (Discord, Microsoft Graph) blends with legitimate enterprise traffic and defeats domain / URL block-lists. Detection concept — alert on Sysmon EID 3 outbound HTTPS to discord.com/api/* or graph.microsoft.com from process trees whose parent is not the expected first-party application (Discord.exe, Teams.exe, OneDrive.exe, Office); correlate Graph API non-interactive sign-ins in Entra ID for app registrations with no enterprise approval path; flag cmd.exe spawned by long-running services with no interactive user context. Hardening — Conditional Access for the Microsoft Graph application restricting non-managed device sign-ins; block socket.io and Discord WebSocket outbound at the SWG for server workloads that have no business reason; force first-party-only WebSocket egress on government-segment workstations.

ESET documented Webworm's 2025–2026 pivot to European government victims (Belgian, Italian, Serbian, Polish and Spanish governmental organisations), deploying EchoCreep (Discord-based C2) and GraphWorm (Microsoft Graph / OneDrive C2) backdoors (daily 2026-05-21). The use of Graph/OneDrive as C2 is the defender-relevant shift — it blends with legitimate M365 traffic. Hunt for anomalous Graph API usage patterns and Discord egress from server subnets that have no business reason to reach either.

Lumen Black Lotus Labs and PwC disclosed two purpose-built implants — Showboat (Linux) and JFMBackdoor (Windows) — used by Calypso against international telecom firms (daily 2026-05-22). See § 4 for the broader telecom-sector pressure this week; the operator-level point is the dedicated Linux/Windows implant pair, indicating long-haul access intent against carrier infrastructure rather than smash-and-grab.

Official DAEMON Tools Lite Windows installers (versions 12.5.0.2421 → 12.5.0.2434) were trojanised on the Disc Soft vendor distribution server from 8 April to 5 May 2026, with malicious installers maintaining the authentic AVB Disc Soft code-signing certificate. The campaign deployed three stages: a .NET information collector (envchk.exe) for host fingerprinting deployed broadly across more than 100 countries (Germany, France, Spain, and Italy appear explicitly in first-stage victim telemetry); a shellcode-based backdoor; and QUIC RAT — a C++ implant supporting HTTP / UDP / TCP / WebSocket / QUIC / HTTP/3 C2 channels — selectively deployed to approximately twelve targets in government, scientific, manufacturing, and retail sectors in Russia, Belarus, and Thailand per Kaspersky. Chinese-language strings in the information collector suggest a Chinese-speaking actor; no formal attribution to a named group. The C2 domain was registered 2026-03-27 — approximately two weeks before the first trojanised installer (2026-04-08) — confirming pre-planned operation. Disc Soft acknowledged 2026-05-05, released clean version 12.6.0.2445, resolved the distribution compromise within 12 hours (Kaspersky Securelist · The Record, 2026-05-06 · BleepingComputer, 2026-05-06 · Help Net Security, 2026-05-06 · daily 2026-05-07 and 2026-05-09 UPDATE). Defender takeaway: audit endpoints for DAEMON Tools Lite versions 12.5.0.2421 – 12.5.0.2434 installed on any government, scientific, or manufacturing endpoint since 8 April 2026; hunt for envchk.exe, unsigned processes injected into notepad.exe or conhost.exe, and outbound UDP 443 (QUIC) to non-sanctioned destinations; Sysmon EID 1 with parent-image filters surfaces post-injection activity. The pattern — selective QUIC-channel deployment behind broad-targeting reconnaissance staging — is the operationally important detail; it explains why telemetry hit-rate alone underestimates targeted-actor presence.

Current state: long-term gov-network access operations against South American government networks since late 2024 and southeastern European government agencies in 2025 — Talos disclosure published 2026-05-05 was the first detailed write-up. Tooling overlap links UAT-8302 to multiple Chinese-quartermaster-shared clusters (Ink Dragon, Earth Alux, Jewelbug, REF7707, LongNosedGoblin, Erudite Mogwai / Space Pirates). No new in-window developments beyond the original Talos disclosure (2026-05-05), and state/covered_items.json carries it as first-covered 2026-05-06. Outstanding defender question: whether southeastern European government victim list will expand publicly. Initial-access CVE not yet disclosed; Talos referenced post-compromise tooling (gogo scanner, Impacket, NetDraft/NosyDoor, CloudSorcerer v3.0, SNOWLIGHT/SNOWRUST, Deed RAT/Snappybee, Zingdoor, Draculoader, Stowaway, SoftEther VPN) rather than the entry vector.