TOLLBOOTH: What's yours, IIS mine

Elastic Security Labs and Texas A&M System Cybersecurity describe REF3927, an active, large-scale campaign exploiting publicly exposed ASP.NET machine keys to compromise IIS servers and deploy a malicious IIS module (TOLLBOOTH) used for SEO cloaking and webshell access, alongside Godzilla-forked webshells, a modified Hidden kernel rootkit, and GotoHTTP RMM; the report provides detailed malware/rootkit analysis, IoCs (file hashes, domains, endpoints), TTP mapping, a victim count of ~571 globally, and remediation advice including rotating machine keys and removing persistence.