IIS web servers hit by stealthy web shell attacks
Imagine a hidden door in your web server that lives for months—unseen, untouched, until one day it’s used to siphon data, deploy malware, or fully control your system. That’s exactly what’s happening: IIS web servers are being compromised by stealthy web shell attacks.
IIS Servers Under Siege
Recently, security researchers uncovered a sophisticated web shell dubbed UpdateChecker.aspx deployed on Microsoft IIS servers, especially in critical infrastructure attacks. Crafted in C# and heavily obfuscated, it grants complete remote control to adversaries.
Unlike typical PHP or plain ASP shells, this script uses randomly generated Unicode‑encoded names for methods and variables, encrypted constants, and a communication pattern using HTTP POSTs with application/octet-stream. Commands inside are structured JSON—ProtocolVersion, ModuleName, RequestName—wrapped in dual‑layer encryption: a 16‑byte header decoded into a session key, then the command payload encrypted with that key.
Once inside, attackers can gather system info, execute commands, upload or delete files, move directories, even search file content—not like your average attack; it’s full system domination.
Who’s Behind It and How They Deploy It
This campaign appears tied to nation‑state or advanced threat groups—Middle East infrastructure breach reports highlight Fortinet’s investigation into UpdateChecker.aspx. Meanwhile, the Lazarus Group has been deploying ASP‑based shells on IIS servers, using variants of “RedHat Hacker,” “file_uploader_ok.asp,” and “find_pwd.asp” to handle file control, SQL queries, and command execution.
Another campaign used native IIS modules—registering malicious DLLs like caches.dll through AppCmd.exe to intercept all web traffic and hijack HTTP requests, inject affiliate ads, phishing links, or run hidden file upload services—all under the guise of normal IIS components.
- Obfuscation and encryption: Names, strings, logic embedded to evade signature or static scanning tools.
- Legitimate channel abuse: Using IIS’s own process (w3wp.exe) and management tools for execution, they blend into regular server workflow.
- Minimal footprint: No noisy alerts, no abnormal traffic—just periodic small POSTs, file changes, or encoded data exfiltration.
Real World Impact
In one incident, attackers exploited misconfigured pages (batchupload.aspx, email_settings.aspx) to upload ASP shells. They executed reconnaissance commands (like whoami, systeminfo), installed AnyDesk for remote access, created new user accounts, and even archived directories using 7‑Zip (_x89z7a.zip), then exfiltrated it via GET requests and deleted it to cover tracks.
Other campaigns involved implanted native modules that could intercept every HTTP request, inject phishing or affiliate content, and stay hidden using rootkit drivers.
Detection: Why It Often Goes Unnoticed
Standard antivirus and web filters struggle. These shells masquerade as innocuous .aspx files, encrypted and embedded in legitimate‑looking directories. They appear like minor POST requests and don’t trigger signature alarms.
Better signals lie in behaviors:
- w3wp.exe spawning cmd.exe, powershell.exe, certutil.exe—unusual for IIS to launch such tools.
- Abrupt creation of script files in web directories by the IIS process.
- Repeated small POSTs to uncommon .aspx URIs.
- Encrypted binaries delivered to servers.
- Scheduled tasks or COM assemblies added via IIS components or SharePoint unsurprisingly tied to initial compromise.
What Organizations in North Carolina—and Everywhere—Must Do
Patch. Audit. Harden.
- Immediately install critical patches, including those associated with CVE‑2025‑53770 impacting SharePoint and IIS environments.
- Regularly review file upload endpoints, validate inputs, and reinforce access permissions.
Monitor Logs, Hunt Threats
- Ingest IIS logs into SIEM (e.g. Splunk), monitor for POSTs to .aspx with high repetition from same IP or method=POST & status 200. Combine with SQL logs for xp_cmdshell or suspicious system tools invocation.
- Use behavior analytics: alert on w3wp.exe launching unauthorized child processes.
Deploy Endpoint and Web Defenses
- Use modern EDR/XDR capable of behavior‑based blocking—detecting file writes by IIS process, suspicious process trees, encoded PowerShell, cmd.exe calls.
- Filter web traffic with URL rewrite rules blocking known shell names like cmd.aspx, shell.aspx, eval.aspx.
Scan and Hunt Proactively
- Run tools like ShellSweepX or SharPyShell to identify high‑entropy suspicious files in web root.
- Simulate attacks using atomic red‑team techniques or SequelEyes to validate detection.
Managed IT Services & Cybersecurity Support
- Engage managed IT services or cybersecurity providers to build continuous monitoring, incident response playbooks, and staff training.
- Managed IT support can enforce multi‑factor authentication, network segmentation, application whitelisting, secure configurations, and periodic threat assessments.
Bottom Line
IIS web servers are under active assault by stealthy web shell attacks. These threats blend into legitimate server activity through obfuscation and encryption. Once inside, they allow complete control—data theft, file manipulation, remote execution, persistence.
What matters: detection, thanks to behavioral signs—not just patching or antivirus. Monitoring for unusual child processes, repeated POST requests, and encrypted payloads is vital. Security teams must hunt proactively, scan smart, and harden configurations.
If you rely on IIS servers—for anything from websites to internal portals—don’t wait. Strengthen your logs, deploy behavioral detection, hire managed cybersecurity services, and stay on top of updates. That hidden door may be opened already. Better find it and shut it now.