Cloud Threat Landscape
  • Incidents
  • Actors
  • Techniques
  • Defenses
  • Tools
  • Targeted Technologies
  • Posters & Newspapers
  • About
  • RSS
  • STIX
  • Back to wiz.io

Made with 💙 by Wiz

Last Updated: April 3, 2025

Cloud Threat Landscape
/Incidents
Incidents
/
Attacks on Korean IIS & Linux Servers

Attacks on Korean IIS & Linux Servers

Type
Campaign
Actors
❓Unknown
Pub. date
June 25, 2025
Initial access
1-day vulnerability
Impact
Data exfiltration
Observed techniques
Vulnerability exploitationWebshell deployment
Observed tools
China ChopperGodzillaSUPERSHELLfscan
Targeted technologies
Microsoft IIS
References
https://asec.ahnlab.com/en/88627/
Status
Finalized
Last edited
Jun 30, 2025 12:56 PM

In June 2025 researchers documented a campaign that breaches vulnerable South-Korean IIS web servers—and sometimes adjacent Linux hosts—by uploading ASP/ASPX web shells through file-upload flaws. Once the shell is in place, the operators fan out: they run basic host discovery commands, scan the internal network with Fscan, and escalate privileges with PowerLadon’s SweetPotato exploit to escape the low-privilege w3wp.exe context. Evidence shows the same infrastructure distributes an ELF build of WogRAT, tying the intrusion to an actor previously seen abusing the aNotepad service, and hinting at a cross-platform focus.

With SYSTEM-level access secured, the attackers install dual command-and-control backdoors—SuperShell (Go, reverse shell) and MeshAgent (remote desktop & file-transfer features)—plus a generic proxy tool, giving them interactive control and RDP/VNC access. They harvest credentials via Network Password Dump, then pivot laterally using WMIExec and Ladon modules (e.g., Runas, MssqlCmd) to reach other Windows hosts and MS-SQL servers.

In June 2025 researchers documented a campaign that breaches vulnerable South-Korean IIS web servers—and sometimes adjacent Linux hosts—by uploading ASP/ASPX web shells through file-upload flaws. Once the shell is in place, the operators fan out: they run basic host discovery commands, scan the internal network with Fscan, and escalate privileges with PowerLadon’s SweetPotato exploit to escape the low-privilege w3wp.exe context. Evidence shows the same infrastructure distributes an ELF build of WogRAT, tying the intrusion to an actor previously seen abusing the aNotepad service, and hinting at a cross-platform focus.

With SYSTEM-level access secured, the attackers install dual command-and-control backdoors—SuperShell (Go, reverse shell) and MeshAgent (remote desktop & file-transfer features)—plus a generic proxy tool, giving them interactive control and RDP/VNC access. They harvest credentials via Network Password Dump, then pivot laterally using WMIExec and Ladon modules (e.g., Runas, MssqlCmd) to reach other Windows hosts and MS-SQL servers.