“By installing their malicious modules on the web server, the threat actor was able to insert their affiliate links into the response values to the HTTP traffic requested from the web server,” ASEC reports shared with Cyber Security News. Researchers observed Chinese-speaking threat actors deploying advanced IIS malware against South Korean web servers, allowing attackers to intercept and manipulate all incoming web traffic while remaining hidden from security solutions. After establishing a foothold, attackers deploy a multi-stage attack chain consisting of a .NET loader malware functioning as a WebShell, followed by a malicious IIS native module that provides persistent control over the compromised server. Security researchers attribute this campaign to a Chinese-speaking threat group based on multiple indicators, including the use of Gh0st RAT malware and Chinese-language components in the attack tools. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This attack highlights the growing sophistication of web server attacks that leverage legitimate administrative tools and native module capabilities to achieve persistence and stealth.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 09 May 2025 07:30:01 +0000