OP-512
Summary
ReliaQuest tracks OP-512 as a suspected new China-linked espionage cluster targeting legacy Microsoft Internet Information Services (IIS) servers. In a June 2026 incident, ReliaQuest assessed with moderate-to-high confidence that OP-512 compromised an internet-facing IIS server, deployed a custom three-web-shell framework, and used cryptographic access controls plus self-reporting command-and-control to maintain operator-only access.
The cluster is useful as a defender bucket because ReliaQuest says its tooling, infrastructure, and operational profile do not match previously documented China-linked IIS intrusion clusters, even though the target surface overlaps with recent IIS-focused activity.
Tags
- groups
- actors
- espionage
- China-linked
- IIS
- web-shells
- ASP.NET
- w3wp.exe
- DNS C2
- RC4
- RSA
- legacy infrastructure
Why this matters
- ReliaQuest reports OP-512 is at least the fourth China-linked cluster publicly documented targeting IIS servers in the past year, reinforcing internet-facing IIS and legacy .NET as a recurring espionage foothold.
- The reported web shell framework is designed to defeat hash and static-signature detections: each deployment is uniquely generated, variable and method names are randomized, and dead variables / junk comments alter file hashes.
- Access is cryptographically gated. ReliaQuest says the
.ashxcommand handlers base64-decode request bodies, RC4-decrypt payloads, verify an RSA signature with an embedded public key, and execute commands only after successful verification. - The web shell can self-report its location through long, hex-segmented DNS subdomains, meaning even defensive interaction with a suspected shell may notify the attacker.
Reported activity
June 2026 ReliaQuest incident
- ReliaQuest says its agentic-AI correlation surfaced activity later validated by threat researchers as a coordinated OP-512 intrusion.
- The victim environment included a compromised IIS server running .NET Framework 4.0, which has been unsupported since 2016.
- ReliaQuest observed signs of access about 75 days before the primary incident, then a return where the actor deployed web shells, established multiple command channels, and escalated privileges within hours.
- The web shell framework consisted of three shells:
- a self-reporting component that transmitted the shell location to C2;
- two
.ashxcommand handlers generated from the same apparent builder but with different randomized code and different RSA keys. - ReliaQuest notes that the use of different RSA keys may indicate separate operator access, access tiers, or key rotation; the durable point is compartmentalization rather than a single shared implant key.
Defender notes
- Prioritize migration, decommissioning, or segmentation for internet-facing IIS servers running unsupported .NET Framework versions.
- Disable script execution in upload directories and review IIS handler mappings for
.aspx,.ashx, and.asmxwhere upload paths exist. - Hunt for
w3wp.exeinitiating outbound DNS queries with abnormally long, hex-segmented subdomains, especially immediately after new ASP.NET content appears. - Monitor
.aspx,.ashx, and.asmxcontent that loads cryptographic components through .NET reflection rather than normal direct references. - Watch ASP.NET temporary compilation directories for unexpected DLL generation outside deployment windows.
- Treat
w3wp.exespawningcmd.exeor other shells as high-risk and pair process termination with host isolation; ReliaQuest notes IIS restarts can let access re-establish if only the malicious worker process is killed. - Use behavioral detection before IoC matching. ReliaQuest cautions that published indicators are intrusion-specific and may not repeat in later OP-512 activity.
Reported indicators
ReliaQuest says these indicators are specific to the observed intrusion; prefer the behavioral patterns above.
| Indicator | Reported role |
|---|---|
ashx.lhlsjcb[.]com |
DNS C2 domain observed during earlier activity on the same host |
hcgos[.]com |
DNS C2 domain used by the self-reporting notification channel |
a.<hex>.c.hcgos[.]com |
Reported DNS subdomain pattern for self-reporting web shell location |
43.160.202[.]246:8053 |
Meterpreter C2 server on a non-standard port |
140.206.161[.]227:443 |
Outbound connection from the compromised host |
124.156.129[.]151 |
Source IP for web shell interaction in the reported intrusion |
python-requests/2.33.0 |
User agent seen with web shell interaction; weak alone, higher signal combined with POSTs to upload paths containing .aspx files |
Attribution notes
- ReliaQuest assesses OP-512 with moderate-to-high confidence as a new China-linked cluster.
- The assessment is based on victimology, operational timing, tooling, infrastructure, and overlap with broader China-linked IIS targeting, while explicitly noting that OP-512 does not match known actors.
- This page keeps OP-512 separate from other IIS-focused clusters unless future public reporting establishes an alias or shared control.
Sources
- ReliaQuest: https://reliaquest.com/blog/threat-spotlight-reliaquests-agentic-ai-uncovers-new-china-linked-cluster-op-512
- The Hacker News: https://thehackernews.com/2026/06/new-threat-cluster-op-512-targets.html