OP-512 attacks IIS servers with custom web shells

Published on June 06, 2026 | Translated from Spanish

A group of cybercriminals identified as OP-512 has set their sights on Microsoft IIS servers. They use a custom web shell framework, allowing attackers to take remote control of systems. The operation is characterized by its stealth and by exploiting known vulnerabilities in web applications. Administrators are advised to review access logs and update their systems to mitigate the risk of compromise.

Cyber attack on Microsoft IIS servers, monitor screen showing custom web shell code injecting into server process, red network connections from attacker terminal to multiple servers, access logs being analyzed by administrator in background, server gears spinning with digital cracks, cinematic technical illustration style, dramatic blue and red lighting, metallic hardware textures, realistic representation of active threat

Technical analysis of the web shell framework 🛡️

OP-512's framework deploys web shell modules in languages such as ASPX and PowerShell. These modules establish encrypted connections with command and control servers, evading basic detection systems. Once inside, attackers execute commands, exfiltrate data, and deploy additional malware payloads. The modularity of the framework allows OP-512 to adapt its attacks based on the target IIS server configuration, complicating the creation of universal detection signatures.

The web shell: the Airbnb of cybercriminals 🏠

OP-512 has found in web shells the digital equivalent of leaving the house door open. Only here, instead of squatters, malicious scripts enter and install themselves as if they were part of the family. Administrators wonder: did anyone order pizza? Because these attackers have already settled into the server and even changed the wifi password. The worst part is they don't notify when they leave.