The attack emerged from a broader investigation into cyber intrusions targeting critical national infrastructure in the Middle East, where threat actors successfully deployed multiple web shell servers across compromised systems. Cybersecurity researchers have uncovered a sophisticated web shell attack targeting Microsoft Internet Information Services (IIS) servers, allowing threat actors to achieve complete remote control over compromised systems. The malicious script, identified as “UpdateChecker.aspx,” represents a significant escalation in web shell complexity, employing advanced obfuscation techniques to evade detection while maintaining persistent access to critical infrastructure. This modular architecture enables attackers to perform various malicious activities, from initial system enumeration to advanced file manipulation and command execution, all while maintaining the appearance of legitimate IIS server activity. Fortinet researchers Xiaopeng Zhang and John Simmons identified the malware during their follow-up analysis of the Middle East infrastructure breach, noting its sophisticated design and potentially devastating impact on affected organizations. Its deployment specifically targets IIS servers, which are commonly used in enterprise environments for hosting web applications and services, making it a valuable asset for threat actors seeking to establish long-term persistence within organizational networks. Functionally, the web shell organizes its capabilities into three distinct modules: Base for system reconnaissance, CommandShell for executing Windows commands with IIS privileges, and FileManager for comprehensive file system operations. Unlike traditional web shells that rely on simple PHP or ASP scripts, this variant leverages heavily obfuscated C# code embedded within an ASPX webpage file, making analysis considerably more challenging for security teams. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The web shell’s ability to operate seamlessly within Windows IIS environments while maintaining stealth through advanced obfuscation techniques makes it particularly dangerous for enterprise environments. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The malware implements a dual-encryption scheme where the first 16 bytes contain an encrypted key using hardcoded values, followed by command data encrypted with a derived 15-byte key.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 29 Jul 2025 06:35:20 +0000