New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework

OP-512 is an espionage-oriented threat cluster attributed with moderate-to-high confidence to China that targets Internet-facing Microsoft IIS servers to deploy a bespoke three-part web shell framework providing file management, authenticated command execution via two access paths, and automated compromise reporting; operators use timestomping to blend artifacts with surrounding files, drop shells via the IIS worker process (w3wp.exe), beacon via DNS/HTTP to attacker domains, and attempt SYSTEM escalation using the Potato suite against legacy Windows Server 2016 hosts.