Attacks on Korean IIS & Linux Servers

Type

Campaign

Actors

❓Unknown

Pub. date

June 25, 2025

Initial access

1-day vulnerability

Impact

Data exfiltration

Observed techniques

Vulnerability exploitationWebshell deployment

Observed tools

China ChopperGodzillaSUPERSHELLfscan

Targeted technologies

Microsoft IIS

References

https://asec.ahnlab.com/en/88627/

Status

Finalized

Last edited

Jun 30, 2025 12:56 PM

In June 2025 researchers documented a campaign that breaches vulnerable South-Korean IIS web servers—and sometimes adjacent Linux hosts—by uploading ASP/ASPX web shells through file-upload flaws. Once the shell is in place, the operators fan out: they run basic host discovery commands, scan the internal network with Fscan, and escalate privileges with PowerLadon’s SweetPotato exploit to escape the low-privilege w3wp.exe context. Evidence shows the same infrastructure distributes an ELF build of WogRAT, tying the intrusion to an actor previously seen abusing the aNotepad service, and hinting at a cross-platform focus.

With SYSTEM-level access secured, the attackers install dual command-and-control backdoors—SuperShell (Go, reverse shell) and MeshAgent (remote desktop & file-transfer features)—plus a generic proxy tool, giving them interactive control and RDP/VNC access. They harvest credentials via Network Password Dump, then pivot laterally using WMIExec and Ladon modules (e.g., Runas, MssqlCmd) to reach other Windows hosts and MS-SQL servers.

In June 2025 researchers documented a campaign that breaches vulnerable South-Korean IIS web servers—and sometimes adjacent Linux hosts—by uploading ASP/ASPX web shells through file-upload flaws. Once the shell is in place, the operators fan out: they run basic host discovery commands, scan the internal network with Fscan, and escalate privileges with PowerLadon’s SweetPotato exploit to escape the low-privilege w3wp.exe context. Evidence shows the same infrastructure distributes an ELF build of WogRAT, tying the intrusion to an actor previously seen abusing the aNotepad service, and hinting at a cross-platform focus.

With SYSTEM-level access secured, the attackers install dual command-and-control backdoors—SuperShell (Go, reverse shell) and MeshAgent (remote desktop & file-transfer features)—plus a generic proxy tool, giving them interactive control and RDP/VNC access. They harvest credentials via Network Password Dump, then pivot laterally using WMIExec and Ladon modules (e.g., Runas, MssqlCmd) to reach other Windows hosts and MS-SQL servers.