ctipilot.ch

OP-512

actor · actor:op-512 single-source

OP-512 — China-linked cluster, cryptographically-unique self-reporting IIS web-shell framework

Coverage timeline
2
first 2026-06-01 → last 2026-06-06
Entries
2
2 distinct days
Sources cited
3
3 hosts
Sections touched
2
research, weekly-sector-patterns
Co-occurring entities
1
see Related entities below
2026-06-012 appearances2026-06-06

Story timeline

  1. 2026-06-06OP-512: China-linked cluster runs a cryptographically-unique, self-reporting IIS web-shell framework against legacy .NET servers
    researchOP-512: China-linked cluster runs a cryptographically-unique, self-reporting IIS web-shell framework against legacy .NET servers
  2. 2026-06-01Public sector — most-targeted sector this week by volume and by operational severity
    weekly-sector-patternsPublic sector — most-targeted sector this week by volume and by operational severity

Where this entity is cited

  • weekly-sector-patterns1
  • research1

Source distribution

  • enisa.europa.eu1 (33%)
  • reliaquest.com1 (33%)
  • securityaffairs.com1 (33%)

Related entities

Entries about OP-512 (2)

2026-06-06 · view entry permalink →

OP-512: China-linked cluster runs a cryptographically-unique, self-reporting IIS web-shell framework against legacy .NET servers

notable research discovered 2026-06-06 05:00 UTC single-source

ReliaQuest documented OP-512, a previously-unreported China-linked espionage cluster targeting internet-facing Microsoft IIS servers running end-of-life .NET Framework 4.0 (ReliaQuest, 2026-06-05) [SINGLE-SOURCE — ReliaQuest original disclosure]. The framework is a three-component web shell — one .aspx file manager plus two .ashx command handlers — that is per-deployment cryptographically unique (RSA signatures and RC4 keys differ per installation), defeating signature-based detection. It carries a timestomping module that matches shell file timestamps to surrounding legitimate IIS artefacts (T1070.006 Timestomp), uses reflective .NET assembly loading to bypass static scanning (T1620), and implements a novel self-reporting beacon: the deployed shell's URL is hex-encoded into a DNS subdomain query issued from w3wp.exe, so the operator is notified of a live shell without actively scanning for it. ReliaQuest found initial access roughly 75 days before the shell was deployed, consistent with patient espionage tradecraft, and notes overlap with the hex-encoded-DNS technique seen in CL-STA-0048 while assessing OP-512 as a separate cluster.

Why it matters to us: Many Swiss and EU public-sector estates still run legacy IIS/ASP.NET portals and intranet apps on .NET 4.0 — exactly OP-512's stated footprint. The detection lesson is concrete: filesystem timestamps are useless for triage here (timestomped), so hunt on behaviour instead — w3wp.exe issuing long hex-string DNS subdomain queries, w3wp.exe spawning cmd.exe/powershell.exe/csc.exe (Sysmon EID 1), reflective-assembly loads, and .aspx/.ashx writes into web roots (Windows Security EID 4663 on inetsrv paths). Hardening: isolate or retire .NET 4.0 servers and apply WDAC/AppLocker to block execution of unsigned web-root artefacts.

espionage nation-state china-nexus global europe

2026-06-01 · view entry permalink →

Public sector — most-targeted sector this week by volume and by operational severity

high synthesis discovered 2026-06-01 05:00 UTC

The public sector carried the highest concentration of critical items this week. CVE-2026-41089 (Netlogon SYSTEM RCE) and CVE-2026-20245 (Cisco SD-WAN no-patch zero-day) both have active exploitation with direct public-sector estate exposure. NCSC-CH's G7 Évian advisory is a direct Swiss federal / cantonal SOC priority for the coming week (. VerdantBamboo's intrusion entered through an MSP's pfSense — the precise threat model for any federation of public-sector organisations sharing managed-service relationships (§7). MISP CVE-2026-10868 patches EU CERT tooling directly used by the operators of this newsletter's primary audience. OP-512's China-linked IIS/.NET 4.0 cluster (daily 2026-06-06) targets the legacy web-server estate still common in cantonal and municipal government, with per-deployment cryptographic keying defeating signature-based detection entirely. ENISA NIS360 confirms public administration is the most consistently targeted EU sector by hacktivist activity, receiving nearly 63% of all EU hacktivist attacks, yet about a third of entities lack structured cybersecurity expertise at management level.

nation-state hacktivism vulnerabilities actively-exploited europe switzerland