For years, web servers have quietly powered websites, applications, and business operations behind the scenes. While many organizations view them as routine infrastructure, attackers increasingly see them as strategic entry points into larger networks.
A newly identified threat cluster known as OP-512 is the latest example. Details released by ReliaQuest reveal that the group is actively targeting Microsoft Internet Information Services (IIS) servers and appears to be focused on one objective above all else: persistence.
According to researchers, OP-512 deploys a custom-built framework after compromising an IIS server. The framework consists of three interconnected web shells that work together to help attackers maintain access, execute commands remotely, and relay information from compromised systems back to their infrastructure.
The objective is not immediate disruption. It is persistence. Rather than drawing attention through ransomware, data destruction, or noisy attacks, the group appears focused on quietly embedding itself within targeted environments and remaining there for as long as possible.
What makes the campaign particularly concerning is the emphasis on stealth. Researchers observed OP-512 using a technique known as “timestomping” to help conceal its activity. By modifying a file’s timestamps, attackers can make malicious files appear older and more legitimate, allowing them to blend in with normal system activity. To security teams investigating a compromise, these files may initially look like routine components of the server rather than evidence of an intrusion.
And that creates a significant challenge. Because the harder it is to distinguish malicious activity from legitimate activity, the longer attackers can remain unnoticed inside a network.
Researchers at ReliaQuest believe there is a moderate-to-high likelihood that the operation is linked to China-backed cyber espionage. While they have not identified direct ties to previously known Chinese threat groups, the industries being targeted and the geographic locations of victims closely align with patterns commonly associated with China’s intelligence-gathering interests.
The discovery also fits into a much larger trend. OP-512 is now the fourth China-linked threat cluster identified targeting IIS infrastructure over the past year, joining groups such as CL-STA-0048, DragonRank, and GhostRedirector. Taken together, these campaigns suggest that IIS servers continue to be a valuable target for advanced threat actors seeking reliable entry points into corporate and government networks.
And the appeal is easy to understand. Web servers are often internet-facing, handle sensitive business functions, and frequently maintain connections to internal systems. For an espionage-focused actor, compromising a web server can provide a foothold that opens the door to much broader intelligence collection opportunities.
That is why this discovery matters beyond a single threat group. The emergence of OP-512 highlights how modern cyber espionage continues to evolve. Nation-state actors are increasingly investing in custom-built tools designed not to create headlines, but to avoid them. Their goal is not immediate impact. Their goal is to stay hidden, gather intelligence, and maintain access for as long as possible.
Let’s refine your stalking skills, go through our Instagram and LinkedIn.
