In early 2025, AhnLab Security Intelligence Center (ASEC) discovered a targeted attack campaign dubbed Larva-25003, believed to be operated by Chinese-speaking threat actors. The attackers gained access to poorly secured Microsoft IIS web servers in South Korea and deployed a combination of malware tools to maintain persistence, evade detection, and intercept HTTP traffic. Central to the attack was a malicious native IIS module registered using the appcmd.exe
utility. Once loaded into the w3wp.exe
process, the module intercepted all incoming requests and modified responses to include redirect scripts, phishing content, or affiliate links—enabling both espionage and monetization.
The threat actor also leveraged a fileless .NET loader malware, which decrypted and executed web shell code in memory, Gh0st RAT for full remote control, and a custom rootkit utility ("HijackDriverManager") to hide these components from detection. The IIS module handled multiple event hooks to gain complete control over the request pipeline and executed logic based on URI patterns—ranging from injecting banner ads to serving phishing pages or uploading tools. The campaign reflects a blend of traditional APT capabilities with monetization strategies such as ad injection and redirection, highlighting the evolving objectives of web server compromises.