China-Linked Group Deploys Custom ASPX and ASHX Web Shells

ReliaQuest outlines OP-512, a China-linked espionage cluster using a purpose-built .aspx/.ashx web shell framework against internet-facing IIS servers: the implants use a Base64→RC4→RSA execution pipeline, hex-encoded DNS self-reporting, randomized handlers to evade hashing, and in-memory privilege escalation; the report includes IOCs (domains, IPs, C2 details) and concrete mitigation guidance such as blocking long hex-subdomain DNS from w3wp.exe and removing end-of-life .NET from exposed servers.