A new attack campaign, discovered in February 2025, targets Windows IIS web servers with advanced malware, enabling attackers to intercept and manipulate web traffic while staying hidden. Chinese-speaking threat actors are believed to be behind the attack, focusing on South Korean web servers.
Multi-Stage Attack Process
The attack begins with exploiting poorly secured web servers. After gaining access, attackers deploy .NET loader malware as a WebShell, followed by a malicious IIS native module, “caches.dll,” which ensures persistent control over the compromised server.
Using legitimate IIS tools like AppCmd[.]exe, attackers ensure their malware remains undetected, loaded by IIS worker processes.
Malicious Activities
Once installed, the malicious module intercepts requests and manipulates data at key points in the HTTP request pipeline. It contains five malicious classes that enable attackers to execute ASP files, inject affiliate banners, redirect users, and upload files covertly.
Stealth and Rootkit Use
To avoid detection, attackers deploy a Chinese-language rootkit tool, “HijackDriverManager,” which hides malicious files and processes. The compromised servers also show signs of communication with Gh0st RAT, a backdoor commonly used by Chinese APT groups.
Mitigation Steps
Administrators should:
- Apply the latest security patches.
- Use behavior-based detection.
- Monitor for unusual IIS module installations.
- Audit server configurations and enforce strict access controls.
This campaign highlights the growing sophistication of web server attacks that leverage legitimate tools to maintain stealth and persistence.
