PassiveNeuron Campaign: Espionage Campaign Targeting Windows Server Environments (Campaign)

IIS-targeting campaign abuses exposed/reused ASP.NET machineKey (ValidationKey/DecryptionKey) to trigger __VIEWSTATE deserialization and remotely execute commands, after which operators (REF3927) deploy Godzilla-family webshells and the TOLLBOOTH backdoor (native/.NET) placed in inetsrv paths, retrieve per-victim config from c.cseo99.com, cache artifacts in Windows Temp, and use a Wingtb-derived kernel rootkit plus tools like Mimikatz to steal credentials, hide activity, clear logs, and persist; hundreds of infections and recurring reinfections were observed.