Another day, another cybersecurity report warning that organizations are still running ancient Microsoft server software directly on the internet.
This time, security company ReliaQuest says it uncovered a previously unknown China-linked threat cluster it calls “OP-512,” and honestly, the details are pretty unsettling. According to the company, the attackers targeted outdated Microsoft IIS servers running unsupported .NET Framework software, deployed stealthy web shells, hid their tracks, and maintained long-term access for espionage purposes.
What makes this story stand out is how ReliaQuest says it found the operation in the first place. The company claims its “Agentic AI” system connected a flood of seemingly unrelated security events into one coordinated attack chain. In other words, the AI allegedly spotted patterns human analysts may have missed or at least taken much longer to piece together.
That sounds impressive, although cybersecurity vendors pushing AI products always deserve at least a little skepticism.
Still, the technical details in this report are hard to ignore.
According to ReliaQuest, the compromised server was running Windows Server 2016 alongside .NET Framework 4.0, which Microsoft stopped supporting back in 2016. The attackers allegedly used custom-built web shells that were designed to evade traditional signature-based antivirus detection entirely.
Each deployment was apparently cryptographically unique. The malware randomized code structures, variable names, and file hashes every time it was generated. ReliaQuest says the attackers even manipulated timestamps so malicious files appeared years old, blending in with legitimate system files.
That is the sort of thing that can make incident response a nightmare.
The alleged attackers also used encrypted command handlers protected with RSA and RC4 authentication. ReliaQuest says the setup prevented even other attackers from hijacking the same implants without the correct private cryptographic keys.
Perhaps the creepiest detail is that the web shells reportedly “phoned home” automatically after deployment. The malware allegedly sent DNS requests containing hex-encoded information that quietly reported the exact location of compromised files back to attacker-controlled infrastructure.
ReliaQuest believes the operation is likely tied to Chinese espionage interests, although the company says the tooling and infrastructure do not fully match previously documented groups. The report compares OP-512 to other China-linked IIS-focused campaigns but argues this cluster appears more advanced and more heavily customized.
Unfortunately, none of this should surprise anyone paying attention to enterprise IT. Old IIS servers sitting on the public internet have been a massive security problem for years, yet companies continue running unsupported Microsoft frameworks long after end-of-life dates pass.
And no, endpoint protection alone did not save the day here either.
ReliaQuest says security software repeatedly killed malicious IIS worker processes, but the attackers simply reloaded their tooling when IIS automatically restarted the services. The company argues automated containment and isolation are becoming mandatory because attackers now move too quickly for slow manual response processes.
Of course, much of the report eventually circles back to promoting ReliaQuest’s GreyMatter platform and AI products. That is typical for threat research published by security vendors. But even with the marketing spin stripped away, the broader warning still matters.
Organizations running legacy IIS infrastructure should probably assume attackers are actively hunting for them right now.
Support independent tech journalism
NERDS.xyz is independently owned and operated. If you enjoy my coverage of Linux, AI, hardware, cybersecurity, and tech culture, consider supporting the site on Ko-fi.
Support NERDS.xyz