China-Linked Espionage Cluster Deploys Custom ASPX/ASHX Shells on IIS

ReliaQuest observed a China-linked cluster tracked as OP-512 compromising an IIS host (Windows Server 2016, .NET 4.0) using a custom, purpose-built web shell framework. The intrusion featured long-term persistence (access established ~75 days earlier), dual command channels via .ashx handlers with RC4+RSA-protected command pipeline, hex-segmented DNS “phone home” signaling with an HTTP Meterpreter fallback, timestomping to hide file metadata, and memory-only privilege escalation tools; the report includes IOCs (domains, IPs, ports) and mitigations for IIS environments.