New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework
Jun 05, 2026
Cyber Espionage / Threat Intelligence
Cybersecurity researchers have discovered a previously unreported threat cluster dubbed OP-512 (where "OP" stands for "opponent") that has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework. ReliaQuest has assessed with moderate to high confidence that the espionage-focused activity is linked to China. "OP-512 was highly likely conducting espionage through a compromised Internet Information Services (IIS) web server on an organization whose sector and geography align with China-linked intelligence priorities," the company said in a report shared with The Hacker News. Although no overlaps have been found between OP-512 and other known China-aligned adversaries, it's the fourth such threat group after CL-STA-0048 , DragonRank , and GhostRedirector to single out IIS web servers over the past 12 months. As recently as last month, Cisco Talos revealed that multiple Chinese-speaking...
