A sophisticated attack campaign targeting Windows IIS web servers with stealthy malicious native modules.
Researchers observed Chinese-speaking threat actors deploying advanced IIS malware against South Korean web servers, allowing attackers to intercept and manipulate all incoming web traffic while remaining hidden from security solutions.
Multi-Stage Attack Targeting IIS Servers
The campaign, discovered in February 2025, begins with threat actors gaining initial access to poorly managed web servers.
.png
)
After establishing a foothold, attackers deploy a multi-stage attack chain consisting of a .NET loader malware functioning as a WebShell, followed by a malicious IIS native module that provides persistent control over the compromised server.
The attackers cleverly abuse legitimate IIS administrative tools to install their malware, using the standard AppCmd[.]exe utility with the following command:
This command registers the malicious module “caches.dll” as a legitimate IIS component named “IsapiCachesModule,” ensuring it’s loaded by 64-bit worker processes (w3wp[.]exe).
The AhnLab Security Intelligence Center (ASEC) states that once installed, the malicious native module inserts hooks at three critical points in the HTTP request pipeline:
- OnGlobalPreBeginRequest: Intercepts requests at the global level
- OnBeginRequest: Captures the first call in the request-level pipeline
- OnSendResponse: Controls response data just before transmission to users
The module contains five malicious classes that provide attackers with comprehensive control capabilities:
- WebdllServer: Executes ASP files by parsing query strings when the URL contains “web.dll”
- RedirectServer: Manipulates HTTP responses to redirect victims to attacker-controlled pages
- AffLinkServer: Injects affiliate banners through malicious cookies or parameters
- HiJackServer: Responds to hidden URIs for configuration management
- UploadServer: Provides covert file upload functionality
To avoid detection, the attackers deploy a rootkit utility called “HijackDriverManager” with a Chinese-language interface. This tool leverages the Winkbj.sys rootkit driver to hide malicious files, registry keys, and processes from security products.
The compromised systems also showed evidence of Gh0st RAT, a powerful backdoor commonly used by Chinese APT groups, communicating with the command and control server at 47.236.9[.]229:10086.
Security researchers attribute this campaign to a Chinese-speaking threat group based on multiple indicators, including the use of Gh0st RAT malware and Chinese-language components in the attack tools. The attackers appear motivated by both financial gain and data theft.
“By installing their malicious modules on the web server, the threat actor was able to insert their affiliate links into the response values to the HTTP traffic requested from the web server,” ASEC reports shared with Cyber Security News.
“Additionally, the threat actor used the malware to install phishing pages and redirect users to them, thereby leaking sensitive information.”
Mitigations
Server administrators are urged to implement several security measures:
- Apply the latest security patches to server operating systems
- Enable real-time, behavior-based detection in security products
- Monitor for unusual IIS module installations using AppCmd[.]exe
- Regularly audit web server configurations for unauthorized changes
- Implement rigorous access controls for administrative functions
This attack highlights the growing sophistication of web server attacks that leverage legitimate administrative tools and native module capabilities to achieve persistence and stealth.
Tax Scams Are Getting Smarter – Check Malicious Domains With Domain Research Suite
