Initial access leverages IIS apps configured with reused/public machineKey (ValidationKey/DecryptionKey) values, enabling __VIEWSTATE deserialization to run arbitrary commands. Following foothold, REF3927 deploys Godzilla-family webshells (e.g., 1.aspx) and GotoHTTP for GUI access, attempts account creation and credential dumping (via Mimikatz), and finally drops TOLLBOOTH as native (.dll) or .NET modules registered globally and placed as C:\Windows\System32\inetsrv\{scripts.dll,caches.dll (also under SysWOW64).
The module pulls per-victim config from c[.]cseo99[.]com/config/<host>.json, caches artifacts under C:\Windows\Temp\_FAB234CD3-09434-8898D-BFFC-4E23123DF2C\ (native) or C:\Windows\Temp\AcpLogs\ (.NET; AES key YourSecretKey123, IV 0123456789ABCDEF), and exposes operator endpoints: /health, /debug, /conf, /clean. Native builds also serve page-hijacker JS via Alibaba CDN links (e.g., mlxya[.]oss-accelerate[.]aliyuncs[.]com/...) to replace content or redirect users.
To evade detection and persist, REF3927 deploys a kernel driver rootkit derived from Hidden (e.g., Wingtb.sys / service “Wingtb”), controlled by WingtbCLI.exe/HijackDriverManager.exe, using DKOM to hide processes, files, and registry keys. minifilter hooks conceal module files and config; and registry callbacks mask service keys. Tooling packages also include noisy log clearing (deleting Windows Event Logs) and ACL changes, and may toggle WDigest\UseLogonCredential=1 to ease credential theft. Parallel reporting notes a PHP/Apache variant and .NET re-implementation, and hundreds of observed infections with recurring re-infections when machine keys aren’t rotated.