Q1 2026 malware statistics report for Windows web servers

AhnLab ASEC's Q1 2026 analysis reports that the Larva-26001 actor has been compromising Windows IIS/Tomcat web servers via file upload and RCE, deploying web shells, leveraging privilege escalation techniques (JuicyPotato, BadPotato, CVE-2019-1458) and using port-forwarding tools (HTran/PortTranC) to pivot to internal RDP (port 3389) for backdoor, proxy, and coinminer deployment; recommendations include patching, tightening access controls, and updating antivirus.