{
	"id": "217b9985-079b-49d5-b13b-dcf88f60718d",
	"created_at": "2026-04-06T00:15:42.891624Z",
	"updated_at": "2026-04-10T13:12:00.139701Z",
	"deleted_at": null,
	"sha1_hash": "3c87a06d6a9c0f5827422db2d32a8125f8293fe2",
	"title": "RudePanda owns IIS servers like it's 2003",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2165073,
	"plain_text": "RudePanda owns IIS servers like it's 2003\r\nPublished: 2025-10-21 · Archived: 2026-04-05 16:26:20 UTC\r\nPublished on 21 October, 2025 37min\r\nIdentifier: TRR251001.\r\nSummary\r\nLate August and early September 2025, our security product detected the compromises of IIS servers\r\nwith a previously undocumented malicious module which we call “HijackServer”. The associated\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 1 of 23\n\ninfection chain involved the use of previously exposed ASP .NET machine keys and a ready-made\r\ntoolset which notably includes a customised but publicly available rootkit.\r\nInvestigating the case, we discovered variants of the HijackServer module (a .NET alternative for IIS\r\nand a PHP version targeting the Apache server), an extensive operation which infected hundreds of\r\nservers around the world, as well as additional and likely associated infrastructure.\r\nWhile the malicious operators appear to be using Chinese as main language and leveraging the\r\ncompromises to support search engine optimisation (SEO), we notice that the deployed module offers a\r\npersistent and unauthenticated channel which allows any party to remotely execute commands on\r\naffected servers.\r\nNB: on the day we were wrapping this blog post up, Elastic Security Labs in cooperation with 2 other\r\norganisations released an article which describes the same operation and refers to the IIS modules as\r\n“TOLLBOOTH”.\r\n📑\r\nBackground: exploiting viewstate and compromising servers for SEO\r\nInfection chain\r\nOverview\r\nInitial infection: it’s not a secret if it has been public for 20 years\r\nAttackers’ toolset\r\nRootkit and associated usermode command-line tool\r\nGUI deployment tool and associated scripts\r\nHijackServer – IIS module\r\nOverview\r\nFeatures\r\nImplementation details on configuration files\r\nAdditional samples and likely related variants\r\nInfrastructure\r\nTargets\r\nAttribution: similarities with previously reported Larva-25003 activity\r\nConclusion: a pool of initial accesses is now available for exploitation\r\nAppendix: indicators and detection rules\r\nIndicators of compromise (IOCs)\r\nYara rules\r\nBackground: exploiting viewstate and compromising servers for SEO\r\nThe exploitability of application data which is stored on the client side (eg. in a “viewstate”) has been thoroughly\r\ndocumented starting 2010 for ASP .NET. Microsoft has been providing safeguards to mitigate such risk, including\r\nimprovements and patches over the years. But exploiting the ASP .NET viewstate remains possible if secrets\r\nknown as “machine keys are known to the attackers.\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 2 of 23\n\nEarly 2025, Microsoft alerted about the abuse of exposed ASP .NET machine keys to execute malicious code\r\nthrough viewstate manipulation, leading to the compromise of IIS servers. At the time of their publication,\r\nMicrosoft had identified more than 3,000 publicly exposed machine keys in code repositories or programming\r\nforums. During the summer of 2025, the exploitation of SharePoint vulnerabilities notably supported the\r\nexfiltration of ASP .NET machine keys, demonstrating that the attackers still put an interest in viewstate\r\nexploitation.\r\nAt the same time, the compromise of Microsoft IIS servers by financially motivated threat actors for Search Engine\r\nOptimization (SEO) fraud has been described by several vendors. In 2021, ESET documented several families of\r\nIIS malware, some of which aimed to improve the popularity of certain websites by modifying the HTTP responses\r\nsent to search engines web crawlers. In September last year, Cisco Talos described the activity of a threat actor\r\nthey named DragonRank who deploys IIS modules known as BadIIS in order to boost the visibility of particular\r\nwebsites. In February 2025 and in April 2025, similar activity has been documented by Trend Micro and AhnLab.\r\nIn that latter case, the threat actor used a rootkit to conceal the presence of the IIS module they had installed.\r\nIn recent weeks, several other publications reported the compromise of IIS servers for SEO poisoning, suggesting a\r\ngrowing prevalence of such activity.\r\nInfection chain\r\nOverview\r\nBetween late August and September this year, our product detected compromises of IIS web servers. Our\r\ninvestigation revealed that the attackers first exploited the ASP .NET viewstate to achieve remote code execution,\r\nthen leveraged privileges escalation techniques known as “Potatoes” (EfsPotato and DeadPotato) to create an\r\nadditional “hidden” local administrator ( admin$ ).\r\nThe attackers further dropped a remote access tool (GotoHTTP) to interact with the graphical interface of the\r\ncompromised servers, and ultimately deployed malicious IIS modules (later referred to as “HijackServer”). The\r\nthreat actor relied on pre-packaged tools and scripts to partially automate the process, and tried to conceal the\r\npresence of deployed modules using a rootkit.\r\nThe install process includes a noisy deletion of every single Windows Event log file, which is at odds with the\r\nattempt to conceal the presence of modules using a rootkit.\r\nIn one case (see Fig. 1), we noticed a failed name resolution during the exploitation process which may have been\r\nan attempt from the attackers to communicate with incident responders.\r\nFigure 1 – Profanity\r\nIn the following section, we further detail the root cause of the IIS servers compromises – an issue which we\r\nbelieve affects a significant number of organisations – and later describe the toolset used by the attacker.\r\nInitial infection: it’s not a secret if it has been public for 20 years\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 3 of 23\n\nAs part of the malicious IIS modules deployment process, the attackers leveraged a script to delete IIS log files in\nthe standard location. However, in both cases we observed, the targeted IIS web applications were setup to save\nlogs in custom locations, so they were still available.\nThe attackers exploited ASP .NET web applications to initially execute ASP payloads on targeted servers. We\ncould not retrieve these payloads, but our security product still provided relevant information. The available logs\nfor corresponding applications included multiple lines of suspicious POST requests at the time the first malicious\nactivities were detected. The HTTP requests had various user agents (the client language was set to zh-tw when\nspecified) and targeted the root pages ( / ) of the applications:\n2025-08-21 XX:Y1:46 POST / - 80 - Mozilla/5.0+(Windows;+U;+Windows+NT+6.1;+en-US;+rv:1.9.2.13)+Geck\n2025-08-21 XX:Y1:48 POST / - 80 - Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_6_0)+AppleWebKit/537.4+(\n2025-08-21 XX:Y2:08 POST / - 80 - Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.2+(KHTML,+like+Gecko)\n2025-08-21 XX:Y2:10 POST / - 80 - Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_6_0)+AppleWebKit/537.4+(\n[...]\n2025-08-21 XX:Y4:15 POST / - 80 - Mozilla/5.0+(Windows;+U;+Windows+NT+6.1;+en-US;+rv:1.9.2.13)+Gecko/\n2025-08-21 XX:Y4:21 POST / - 80 - Mozilla/5.0+(Windows;+U;+Windows+NT+6.1;+en-US;+rv:1.9.2.13)+Gecko/\n2025-08-21 XX:Y5:04 POST / - 80 - Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+Trident/5.0)+ch\nThe only data submission path that existed for such root pages is a default ASP .NET viewstate form:\n\nFurther analysing the configurations of the ASP .NET applications ( Web.config ), we could retrieve the secrets\nthat are used to validate and encrypt the associated viewstates:\nWe were very surprised to find that the said “secrets” were actually examples from a MSDN help page which was\nalready publicly available in 2003:\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\nPage 4 of 23\n\nFigure 2 – MSDN article originally referencing the exploited encryption secrets\r\nAs we previously mentioned in the Background section, attackers can trivially exploit ASP .NET viewstate\r\ndeserialization to remotely execute code if they know the associated cryptographic secrets.\r\nIt should be noted that this original help page (see Fig. 2) reads “The directives name, protection, path,\r\nvalidationkey, decryptionKey, and validation in the following example must be identical (unless otherwise noted)“.\r\nThis has likely and unfortunately been applied to the letter by many IIS users for years, as it can further be\r\nconfirmed seeing how many times this configuation snippet was suggested on various public forums, including\r\nStackOverflow.\r\nAttackers’ toolset\r\nAs mentioned before, the attackers relied on pre-packaged tools and scripts to partially automate the infection\r\nprocess. This toolset was initially deployed on a targeted server as a ZIP archive, which is described below.\r\nFilename sys-tw-v1-6-1-clean-log.zip\r\nFile type Zip archive data, at least v2.0 to extract, compression method=store\r\nHash (SHA-256) 7cc8b4206e87788b8403500f37bb8b5cfb71d3c26d49365ccc9c36b688c7428a\r\nThe sys-tw-v1.6.1-clean-log.zip archive contains the following folders and files, some of which are further\r\ndescribed in the following sections, and the most recent files are dated from August 20, 2025:\r\nin the IIS folder:\r\nx86.dll and x64.dll : 32 and 64-bit malicious IIS modules (HijackServer);\r\ninstall.bat : a script which installs the IIS modules;\r\ninstall_bak.bat and install_bak - \\u00a9\\u2592\\u2592\\u00a5.txt (identical files): install\r\nscript, not used in the cases we observed, possibly an older variant;\r\nhello.bat : install script, not used in the cases we observed, possibly an older variant;\r\nheoo.docx : document listing the same commands as those found in hello.bat ;\r\nuninstall.bat : an uninstall script, which unloads and deletes the IIS modules;\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 5 of 23\n\nin the x86 folder:\r\nWingtb.sys : 32-bit Windows kernel driver serving as a rootkit;\r\nHidden.inf : setup information file for the driver;\r\nWingtb.cat : catalog file for the driver;\r\nin the x64 folder: similar files than in the x86 folder but for a 64-bit variant of the rootkit;\r\nWingtbCLI.exe : a usermode client command-line tool for the included rootkit;\r\nHijackDriverManager.exe : GUI deployment tool which is aimed at easing the install process of the\r\nmalicious IIS modules;\r\nlock.bat : a post-installation script which is run once the IIS modules have been deployed, in order to hide\r\ndeployed files and delete logs.\r\nThe heoo.docx document has a first modification date set to 2024-11-09, and was uploaded to an online\r\nmultiscanner in December 2024, indicating that parts of the same toolkit were likely in use in late 2024 already.\r\nThe last modifying user of the Microsoft document is set to 807751673[@]qq.com .\r\nRootkit and associated usermode command-line tool\r\nFilename Wingtb.sys\r\nFile type PE32+ executable (native) x86-64, for MS Windows\r\nCompilation time 2024-11-05 07:33:46 UTC\r\nHash (SHA-256) f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1\r\nThe Wingtb.sys file is a signed Windows kernel driver whose original file name is Winkbj.sys and which\r\nserves as a rootkit. Its companion setup information file ( Hidden.inf ) defines the corresponding service name as\r\n“Wingtb”. An associated usermode command-line tool which is named WingtbCLI.exe (SHA-256\r\n913431f1d36ee843886bb052bfc89c0e5db903c673b5e6894c49aabc19f1e2fc ) can interact with the driver.\r\nIt appears that both the rootkit and its associated usermode tool are derived from the open-source “Hidden” project.\r\nHidden is mainly aimed at hiding artefacts (such as files, registry keys and processes) from a Windows system, and\r\nmust first be “enabled” (activated) to operate. Among the differences observed in our samples, the following\r\nchanges have been made, likely to simplify their use for an operator:\r\nthe names of the commands of the usermode tool have been translated from English to Chinese\r\n(transliterated into the Latin alphabet);\r\nan additional /shanchu command has been included in the usermode tool, and may be intended to delete\r\nfiles and directories – but the corresponding feature is not implemented in our samples of the driver;\r\nlogging messages have been customised in the driver.\r\nThe driver is signed with an expired code-signing certificate which is issued to “Anneng electronic Co. Ltd.”\r\n(thumbprint: 9A6EE51A6A437603ACEE9ADC5F1A5F13329A7E59 ) and was valid from 2013-05-06 00:00:00 to 2014-05-\r\n06 23:59:59. However, this certificate meets the requirements that are set by Microsoft for exceptions to its driver\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 6 of 23\n\nsigning policy, and, as a result, may still be loaded on Windows systems: “Driver was signed with an end-entity\r\ncertificate issued prior to July 29th 2015 that chains to a supported cross-signed CA“.\r\nWe identified more than 400 samples that were signed with the same certificate, most of them being drivers,\r\nincluding 10 samples of the Hidden rootkit. In addition, we also found other samples of the WingtbCLI.exe\r\ncommand line tool (see Appendix).\r\nGUI deployment tool and associated scripts\r\nFilename HijackDriverManager.exe\r\nFile type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\nCompilation time 2099-04-12 16:40:58 UTC\r\nHash (SHA-256) 7260f09e95353781f2bebf722a2f83c500145c17cf145d7bda0e4f83aafd4d20\r\nHijackDriverManager.exe provides a GUI which facilitates the installation (and removal) of the malicious IIS\r\nmodules, as well as the concealement of associated artefacts. The tool does so by by running scripts and executing\r\na limited subset of the commands that are provided by the rootkit’s usermode command-line tool\r\n( WingtbCLI.exe ). The GUI also offers buttons, text fields and dialogs to browse folders and copy files:\r\nFigure 3 – Main windows for the GUI deployment tool\r\nThe 一键部署 (“One-click deployment”) button runs the IIS\\install.bat script to deploy malicious IIS\r\nmodules, while 卸载插件 (“Uninstall the plugin”) runs the IIS\\uninstall.bat script to remove them.\r\n启用保护 enables the rootkit by running the /yinshen on command from WingtbCLI.exe . Prior to this\r\nexecution, it starts the service which is supposedly associated with the driver ( sc.exe start winkbj ) and runs the\r\npost-installation ( lock.bat ) script. However, the name of the service which is associated to the driver has been\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 7 of 23\n\nchanged in the analyzed toolkit ( wingtb intead of winkbj ), so this sc command will have no effect (but a\r\ncommand in lock.bat will successfully load the driver).\r\nThe 锁定 button hides a previously selected file by executing the /xiaoshi file \u003cfile-path\u003e from the rootkit\r\nusermode tool, while the 解锁全部 button stops hiding all previously hidden files by executing /buxiaoshi file\r\nall .\r\n暂停保护 (“Suspend protection”) and 结束保护 (“End protection”) disable the rootkit by running the /yinshen\r\noff command from the usermode tool. In addition, clicking on 结束保护 executes sc.exe stop winkbj to stop\r\nthe service. However, as with the hardcoded command which is issued to start the service, this command will have\r\nno effect.\r\nIIS modules installation script\r\nExecuting IIS/install.bat (SHA-256\r\ne6a9bf90accf17355a1f779d480a38838b2bbb2877cde095c7c139e041c50d71 ) performs the following operations:\r\nstop the IIS server (using iisreset /STOP );\r\ndelete IIS log files in their standard location ( C:\\inetpub\\logs\\LogFiles\\ ), in a likely attempt to remove\r\ntraces of the initial infection;\r\ncopy the IIS application configuration ( %windir%\\System32\\inetsrv\\config\\applicationHost.config ) in\r\n%windir%\\SysWOW64\\inetsrv\\Config\\ . This is likely done to ensure the later IIS module installation\r\ncommands work for both the 32 and 64-bit modules regardless of the environment (the installation\r\ncommands will result in modifications of applicationHost.config );\r\ndeploy the malicious IIS modules (HijackServer):\r\ncopy the 32 and 64-bit malicious IIS module files as scripts.dll and caches.dll namely, in\r\nboth %windir%\\System32\\inetsrv\\ and %windir%\\SysWOW64\\inetsrv\\ folders;\r\nmodify access control lists (using icacls ) on module files to grant everyone a full access on them;\r\ninstall the malicious modules in IIS as ScriptsModule and IsapiCachesModule namely (using the\r\nappcmd.exe install module command);\r\nprepare the HijackServer working directory:\r\nmodify access control lists (using icacls ) on %windir%\\Temp to grant regular users and IIS users\r\na full access on it;\r\ncreate C:\\Windows\\Temp\\_FAB234CD3-09434-8898D-BFFC-4E23123DF2C (the working directory for\r\nHijackModule) and modify its access control lists as for %windir%\\Temp ;\r\nsetup Windows to store plaintext logon credentials in memory (by setting the UseLogonCredential value\r\nfor the WDigest registry key). This might be done to facilitate later attempts to gather credentials from the\r\ncompromised server;\r\nstart the IIS server again (using iisreset ).\r\nIIS modules removal script\r\nExecuting IIS/uninstall.bat (SHA-256\r\na96e1643dedd472e5712282904110ee948592fab722dc87d8f1e7658d3d8449d ) performs the following operations:\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 8 of 23\n\nstop the IIS server;\r\nuninstall the malicious modules from IIS (using the appcmd.exe uninstall module command);\r\ndelete the 32 and 64-bit malicious IIS modules files in both %windir%\\System32\\inetsrv\\ and\r\n%windir%\\SysWOW64\\inetsrv\\ ;\r\nstart the IIS server again.\r\nPost-installation script\r\nRunning the lock.bat (SHA-256 8ed76396e11d1c268b6a80def8b57abacf4ea1ac059838bd858c8587c26b849c )\r\nscript performs the following operations:\r\nload the rootkit, by starting the wingtb service;\r\nhide the following files (by running WingtbCLI.exe /xiaoshi file \u003cfile-path\u003e ):\r\nthe IIS modules files as deployed;\r\nthe custom IIS error pages 403.htm , 404.htm and 500.htm (in C:\\inetpub\\custerr\\en-US\\ ).\r\nThose might be replaced by backdoored files in some circumstances, but were not found in the cases\r\nwe observed;\r\nthe IIS applications configuration (as it is modified during the installation of malicious modules),\r\nC:\\Windows\\System32\\inetsrv\\config\\applicationHost.config ;\r\nthe driver file as deployed;\r\nhide the registry key which is associated to the rootkit service (by running WingtbCLI.exe /xiaoshi regkey\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wingtb );\r\nactually enable the rootkit (by running WingtbCLI.exe /yinshen on ;\r\ndelete every Windows Event log file ( for /f \"tokens=*\" %%1 in ('wevtutil el') do wevtutil cl\r\n\"%%1\" ).\r\nHijackServer – IIS module\r\nFilenames caches.dll , x64.dll\r\nFile type PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nCompilation time 2025-08-12 06:23:42\r\nHash (SHA-256) c1ca053e3c346513bac332b5740848ed9c496895201abc734f2de131ec1b9fb2\r\nThis is a malicious module for IIS server. Its main purpose appears to be SEO for dubious cryptocurrencies\r\ninvestment schemes… but it also enables unauthenticated remote command execution, turning it into an easily\r\nactionable backdoor.\r\nOverview\r\nThe module uses HijackServer , Hijackbot and hj-plugin-iis-cpp-v1.6.1 ( hj likely standing for “hijack”)\r\nas most distinctive internal names – we will later refer to the module as “HijackServer” in consequence, and\r\nconsider the analyzed sample is of version 1.6.1.\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 9 of 23\n\nHijackServer is a “native” IIS module, developed using C++, which hooks all HTTP requests for all applications\n(provided it is a globally installed module) at the very first stage of their processing by the IIS server\n( GL_PRE_BEGIN_REQUEST ). Should the global hooking fails, the module registration also hooks requests for the\ncurrent IIS application only, at the request ( RQ_BEGIN_REQUEST ) and response stages ( RQ_SEND_RESPONSE ) –\nwhichever works first.\nThe operators of HijackServer use the content of HTTP requests (URL path, user agent and referer headers) to the\ncompromised IIS server as a command and control (C2) channel. The malicious module is flexible by design, and\nseveral of its features can be controlled by a JSON configuration file, text lists and HTML templates, which are all\ndownloaded from external staging servers ( c.cseo99[.]com , f.fseo99[.]com ). Downloaded files are stored in a\nworking directory ( C:\\Windows\\Temp\\_FAB234CD3-09434-8898D-BFFC-4E23123DF2C\\ ).\nThe main purpose of HijackServer appears to be Google search engine optimisation for questionable\ncryptocurrencies-related websites. HijackServer answers HTTP requests that come from Google to most1 URL\npaths on the compromised server with dynamically generated HTML pages.\n[Is KDLYW stock a smart retirement pick](/market-outlook/Is-KDLYW-stock-a-smart-retirement-pick) [Why is MLYS stock going down](/blank/Why-is-MLYS-stock-going-down) [What analysts say about MBAVW stock](/video/What-analysts-say-about-MBAVW-stock) [Should I hold or sell AleAnna, Inc. blank/Can-CCBG-beat-the-S\u0026P-500\"\u003eCan CCBG beat the S\u0026P 500](/bullish-on/Should-I-hold-or-sell-AleAnna-Inc.-Equity-Warrant-now) Those HTML pages contain links on various investment-related sentences to specifically crafted redirection URLs\non the same compromised server. Those redirection URLs in turn lead to questionable cryptocurrency-related\nwebsites.\n\nIt should be noted that this Google SEO approach seems to be working to some extent, as can be witnessed by\nsearching for some sentences or keywords amongst those that appear in generated SEO HTML pages:\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\nPage 10 of 23\n\nFigure 4 – Google SEO results\r\nFeatures\r\nHijackServer ultimately offers the following functionalities (which are implemented in distinct C++ classes of a\r\ncommon interface matching the given names):\r\nAffLinkServer: generate SEO HTML pages to answer HTTP requests that come from Google (based on the\r\nUser-Agent header value). HTML pages contain links to redirection URL paths. Each HTML page generation is\r\nlogged to a C2 API endpoint ( api.aseo99[.]com ), using a JSON document.\r\nRedirectServer: generate HTML/JavaScript redirections to external websites, depending on URL and if the referer\r\nof the HTTP request is Google (based on the Referer header value).\r\nUploadServer: file upload and Windows shell command execution capability, which is aimed to be exposed\r\nthrough an HTML form ( /mywebdll URL path, see Fig. 5), and should be password protected – but the shell\r\ncommand execution capability can be triggered without any sort of authentication when bypassing the form\r\n( /scjg URL path).\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 11 of 23\n\nFigure 5 – File upload form from the IIS HijackServer module\r\nThe UploadServer class can additionally process HTTP requests targeting a /xlb path, by returning an HTML\r\npage which loads a JavaScript from mlxya.oss-accelerate.aliyuncs[.]com (such ressource is delivered from\r\nAlibaba content delivery network). Unfortunately we could not retrieve the associated payload if any.\r\nWebdllServer: load and execute ASP .NET payloads from the C:\\inetpub\\wwwroot\\ folder ( /web.dll URL\r\npath). Payloads can be uploaded (as ASP .NET libraries) with the previously described arbitrary file upload\r\ncapability (UploadServer).\r\nHijackServer: management interface for the operators of the module. It is exposed to HTTP requests that use a\r\nspecific User Agent header value (amongst a set predefined but dynamically modifiable values). It offers the\r\nfollowing features:\r\nretrieving detailed HTTP request and module state information ( /well-known/acme-challenge/\u003cpredefined\r\nbase64 value\u003e or /debug URL paths);\r\nretrieving elementary information about available disk space, version and module status ( /health URL\r\npath);\r\nretrieving the currently implemented configuration ( /conf URL path);\r\ndeleting files that have been stored in the working directory ( /clean URL path, with additional type\r\nquery parameter to delete all , conf or tmp files).\r\nImplementation details on configuration files\r\nThe downloaded files that are stored in the working directory (including configuration files) are Zlib-compressed\r\n(with additional 4 random bytes before the Zlib header).\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 12 of 23\n\nConfiguration for a given host is downloaded from hxxps://c.cseo99[.]com/config/\u003chostname\u003e.json , where\r\n\u003chostname\u003e is the hostname (or IP address) that has been reached to access the underlying application on the\r\ncompromised IIS server. HijackServer attempts to download (and possibly update) the configuration several times\r\nupon failure, and for each HTTP request that is processed – which makes it an incredibly noisy and slow module.\r\nConfiguration files are stored to \u003cworking directory\u003e/conf/\u003cMD5 hash\u003e , where \u003cMD5 hash\u003e is the MD5 hash of\r\n\u003chostname\u003e.json . A default configuration is further copied from the first successfully downloaded configuration\r\nfile to \u003cworking directory\u003e/conf/f19ae30a014229b59e40b60ef1b7ee44 , where\r\nf19ae30a014229b59e40b60ef1b7ee44 is the MD5 hash for system.json .\r\nConfiguration files further points to HTML templates and words list that are hosted at f.fseo99[.]com .\r\nAssociated content is download as needed, and stored under \u003cworking directory\u003e/tmp/ and \u003cworking\r\ndirectory\u003e/remote/ , using MD5 hashes for filenames.\r\nIt should also be noted that in configuration files we retrieved, all variable names for SEO templates are written in\r\nChinese (for instance: {网页模版} – “Web template”, or {正文内容} – “Main content”).\r\nAdditional samples and likely related variants\r\nOn top of the 2 files that were provided in the analyzed toolkit, we could identify additional samples of the same\r\nHijackServer module:\r\nHash (SHA-256) Bitness\r\nCompilation\r\nDate\r\nInternal\r\nVersion\r\nc348996e27fc14e3dce8a2a476d22e52c6b97bf24dd9ed165890caf88154edd2 32-bit 2025-02-08 1.6.0\r\nbd2de6ca6c561cec1c1c525e7853f6f73bf6f2406198cd104ecb2ad00859f7d3 64-bit 2025-02-08 1.6.0\r\n7a10207a430234b448f692a534cea16d400858c5fdda014c786fbf97127dce88 64-bit 2024-11-25 1.4.0\r\nAll of those samples use iismodrqf.dll as an internal name and Dongtai.pdb as a PDB filename like the ones\r\nwe analyzed. Most samples use the same configuration staging servers than the sample we analyzed\r\n( c.cseo99[.]com ), except for 7a10207a430234b448f692a534cea16d400858c5fdda014c786fbf97127dce88 which\r\nuses f.zseo8[.]com .\r\nWe identified another sample (SHA-256\r\n64d0a4703ec976b0e0db4e193b9ccdf4ef6f34d24c32274579ee028a67bfa3a9 ) which also uses iismodrqf.dll as an\r\ninternal name and implements common features, but is not exactly HijackServer. As its compilation date is set to\r\n2024-05-07, we believe with low to medium confidence it is a previous variant of C++ HijackServer, or a another\r\nvariant which is based on a common source code. We note that this sample is mentioned as a reference in a public\r\nYara rule ( Malware_IIS_Dongtai_Module ) from PwC, along with 2 other samples which do not appear to be\r\nvariants of HijackServer but also use Dongtai.pdb as a PDB filename.\r\nWe also identified a .NET-developed variant of HijackServer (SHA-256\r\n915441b7d7ddb7d885ecfe75b11eed512079b49875fc288cd65b023ce1e05964 , which according to its internal version\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 13 of 23\n\nstring ( hj-iis-cim-v1.6.1 ) matches the version of the C++ sample we initially analyzed. This .NET alternative\r\nalso uses c.cseo99[.]com as a staging server.\r\nLast but not least, we identified a PHP downloader (SHA-256\r\n665234a6627269ba0b3816a6a29ede4fc72d36f34978f5ba1410e63d968d3d62 ) for a PHP version of HijackServer. The\r\nlatter is destined to be deployed on Apache servers with PHP on Windows. PHP HijackServer is loaded from\r\nphp.ini using the PHP auto_prepend_file directive, and is delivered in a Base64-encoded and compressed\r\nform from one of the following URLs:\r\nhxxps://f.zseo8[.]com/uploads/2024-10-24/48c3a008cd9ccfa5fd3bdb69ed6d12ce.txt . This PHP\r\nHijackServer sample (SHA-256 e3bfd9aca49726556f6279aad2ab54ca9c1f0df22bcad27aa7e1ba3234f8eaff )\r\nis internally named “hj-plugin-php-systmp” and is of version “1.2.5”. Its configuration staging server is set\r\nto c.cseo8[.]com , and its C2 API to api.xseo8[.]com (the latter is only used to report an absence of\r\nconfiguration file).\r\nhxxps://f.zseo8[.]com/uploads/2024-10-24/99749da89ec4d1e3f3179f119f2a955b.txt . This PHP\r\nHijackServer sample (SHA-256 e107bf25abc1cff515b816a5d75530ed4d351fa889078e547d7381b475fe2850 )\r\nis named “hj-plugin-php-forcehttp” and is of version “1.2.51”. It is virtually the same than the previous\r\nsample, except that all communications with staging servers are done using HTTP (instead of HTTPS).\r\nInfrastructure\r\nDomain names of the staging servers of the C++, PHP and .NET variants of HijackServer are all registered with\r\n“Dominet (HK) Limited” (which is a name provider for Alibaba Cloud) or with “Eranet International Limited” in\r\nHong-Kong, and point to Cloudflare infrastructure.\r\nDomain Registration Stagers resolution (during known activity)\r\ncseo99[.]com 2025-01-02, Dominet (HK) Limited Cloudflare\r\nfseo99[.]com 2025-01-02, Dominet (HK) Limited Cloudflare\r\naseo99[.]com 2025-01-02, Dominet (HK) Limited Cloudflare\r\ncseo8[.]com 2024-08-01, Eranet International Limited Cloudflare\r\nzseo8[.]com 2024-08-01, Eranet International Limited Cloudflare\r\nxseo8[.]com 2024-08-01, Eranet International Limited Cloudflare\r\nError pages that are returned by staging servers that are still online show a next hop behind Cloudflare that is likely\r\nhosted by Alibaba cloud:\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\r\n\u003cError\u003e\r\n \u003cCode\u003eNoSuchKey\u003c/Code\u003e\r\n \u003cMessage\u003eThe specified key does not exist.\u003c/Message\u003e\r\n \u003cRequestId\u003e[REDACTED]\u003c/RequestId\u003e\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 14 of 23\n\n\u003cHostId\u003ec.cseo99.com\u003c/HostId\u003e\r\n \u003cKey\u003e[REDACTED]\u003c/Key\u003e\r\n \u003cEC\u003e0026-00000001\u003c/EC\u003e\r\n \u003cRecommendDoc\u003ehttps://api.alibabacloud.com/troubleshoot?q=0026-00000001\u003c/RecommendDoc\u003e\r\n\u003c/Error\u003e\r\nWe noticed that the additional staging servers that appear in the possibly related but older HijackServer variant\r\n(SHA-256 64d0a4703ec976b0e0db4e193b9ccdf4ef6f34d24c32274579ee028a67bfa3a9 ) also exhibit similar\r\ncharacteristics:\r\nDomain Registration Stagers resolution (during known activity)\r\ngov[.]land 2024-01-23, Eranet International Limited Cloudflare\r\ncn[.]lol 2023-03-15, Eranet International Limited Cloudflare\r\norg[.]cfd 2023-03-15, Eranet International Limited Cloudflare\r\nFinally, looking for domains which matched a similar name pattern and that were registered from known registrars,\r\nwe identified the following ones. We assess, with medium confidence, that these domains were or will be\r\nleveraged as staging servers for HijackServer:\r\nDomain Registration Possible role\r\nlseo99[.]com 2025-05-30, Dominet (HK) Limited Unknown\r\njseo99[.]com 2025-05-21, Dominet (HK) Limited SEO telemetry/reporting endpoint\r\nwseo99[.]com 2025-01-02, Dominet (HK) Limited Unknown\r\nwseo88[.]com 2024-12-15, Dominet (HK) Limited Unknown\r\nfseo88[.]com 2024-12-15, Dominet (HK) Limited Files stager\r\ncseo88[.]com 2024-12-15, Dominet (HK) Limited Configuration stager\r\naseo88[.]com 2024-12-15, Dominet (HK) Limited Unknown\r\nwseo8[.]com 2024-08-01, Eranet International Limited Unknown\r\nTargets\r\nThe described malicious IIS module (HijackServer) specifically processes HTTP requests from predefined “User-Agent” values and to predefined URLs, but also generates identifiable SEO pages. We looked for such specific\r\nsignatures in the wild in late August and early September, and could reliably identify IIS servers that were\r\ncompromised by HijackServer.\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 15 of 23\n\nWe identified 171 distinct instances of the HijackServer module, affecting websites on approximately 240 server IP\r\naddresses (see Fig. 6) and 280 domain names. It should be noted that counting “compromised servers” from these\r\nstatistics is not trivial, as a single compromised server with a single HijackServer module can affect multiple\r\nwebsites. Conversely, a single server can sometimes be reached through different IP addresses, or several IIS\r\nreverse proxies which could all be compromised by HijackServer.\r\nFigure 6 – Location of the IP addresses of the compromised servers we identified. The location is\r\nprovided by public databases as of September 2025\r\nThe oldest instance of HijackServer that we could identify is installed on a server whose IP address is geolocated in\r\nSingapore, and appears to be a legitimate website. The installation date in its configuration is set to 2024 (but the\r\nsame server might still have been compromised before with an older version of the module).\r\nHijackServer does not appear to target any specific vertical and affect very distinct types of websites from various\r\norganisations, including small online shops, personal websites, SMBs websites and government websites. This\r\nindicates that compromises might be opportunistic: the threat actor might just be targeting servers that are\r\nvulnerable.\r\nAttribution: similarities with previously reported Larva-25003 activity\r\nThe HijackDriverManager.exe tool provides the user with a GUI in Chinese and allows to perform the install\r\nprocess of the IIS modules and to interact with the rootkit. In addition, the command-line tool used to interact with\r\nthe latter, derived from an open source project, has been adapted to offer commands in Chinese (transliterated into\r\nthe Latin alphabet). For these reasons, we believe that the IIS modules, as well as the helper scripts and tools, are\r\nintended to be distributed to Chinese speaking users.\r\nWe noticed similarities with the tools used by a threat actor tracked as Larva-25003 by AhnLab following the\r\ncompromise of an IIS web server. In particular, the rootkit we retrieved in the archive left by the threat actor is\r\nidentical to the one mentioned by AhnLab in their blog post from April 30, 2025. In addition, the IIS module they\r\ndescribed is similar to the samples we retrieved in the threat actor’s toolset.\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 16 of 23\n\nHowever, due to limited visibility, we do not know if the same operator is responsible for the intrusion described\r\nby AhnLab and the compromises we observed. We also noticed some differences such as the use of GotoHTTP for\r\nremote access instead of Gh0st RAT.\r\nConclusion: a pool of initial accesses is now available for exploitation\r\nThe HijackServer deployment cases initially appeared as benign, opportunistic and financially motivated\r\ncompromises to us. Operators with very limited skills used known exploitation techniques and deployed ready-made tools on the IIS servers of a seemingly non-strategic organisation, to facilitate cryptocurrency scams. Our\r\nsecurity product quickly detected the multiple steps of the infection attempts.\r\nFurther analysing the initially identified toolset, we nonetheless discovered several variants of the HijackServer\r\nmodule, as well as an extensive operation which affected hundreds of servers around the world in a relatively short\r\ntimespan. The threat actor also tried to maintain and conceal accesses to the IIS servers, leveraging a customised\r\nvariant of a publicly available rootkit. The overall operation demonstrates a level of determination and capability\r\nthat is aligned with that of an organisation. The latter could however still largely rely on poorly skilled operators.\r\nWhatever the threat actor’s goal, the operation is effective and leaves hundreds of servers exposed to\r\nunauthenticated and trivial remote command execution, even if the initially exploited vulnerabilities have been\r\npatched. Any third party, whether cooperating with the threat actor or not, could now profit from such\r\ncompromises, for espionage or malicious infrastructure development.\r\nWe should remind all IIS servers administrators and owners again that it is still of utmost importance to rotate all\r\n“machine keys” of all Internet-facing ASP.NET applications and/or IIS servers. After decades of secrets reuse and\r\nrecent secrets extractions (notably through Sharepoint vulnerabilities exploitation), configurations of IIS servers\r\nshould be analyzed to identify suspicious modules.\r\nAppendix: indicators and detection rules\r\nIndicators of compromise (IOCs)\r\nAssociated IOCs are also available on our GitHub repository.\r\nHashes (SHA-256)\r\n82b7f077021df9dc2cf1db802ed48e0dec8f6fa39a34e3f2ade2f0b63a1b5788|IIS HijackServer C++ module 1.6.1, x86.dll and\r\nc1ca053e3c346513bac332b5740848ed9c496895201abc734f2de131ec1b9fb2|IIS HijackServer C++ module 1.6.1, x64.dll and\r\nc348996e27fc14e3dce8a2a476d22e52c6b97bf24dd9ed165890caf88154edd2|IIS HijackServer C++ module 1.6.0\r\nbd2de6ca6c561cec1c1c525e7853f6f73bf6f2406198cd104ecb2ad00859f7d3|IIS HijackServer C++ module 1.6.0\r\n7a10207a430234b448f692a534cea16d400858c5fdda014c786fbf97127dce88|IIS HijackServer C++ module 1.4.0\r\n915441b7d7ddb7d885ecfe75b11eed512079b49875fc288cd65b023ce1e05964|IIS HijackServer .NET module 1.6.1\r\n665234a6627269ba0b3816a6a29ede4fc72d36f34978f5ba1410e63d968d3d62|PHP downloader for Apache HijackServer PHP modu\r\ne3bfd9aca49726556f6279aad2ab54ca9c1f0df22bcad27aa7e1ba3234f8eaff|Apache HijackServer PHP module 1.2.5\r\ne107bf25abc1cff515b816a5d75530ed4d351fa889078e547d7381b475fe2850|Apache HijackServer PHP module 1.2.51\r\n7260f09e95353781f2bebf722a2f83c500145c17cf145d7bda0e4f83aafd4d20|GUI deployment tool, HijackDriverManager.exe\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 17 of 23\n\n8ed76396e11d1c268b6a80def8b57abacf4ea1ac059838bd858c8587c26b849c|Post-installation script, lock.bat\r\n913431f1d36ee843886bb052bfc89c0e5db903c673b5e6894c49aabc19f1e2fc|Usermode command-line tool for rootkit, WingtbC\r\n4e24349b61c5af60a5e7f543c86963087ca6d6078378f83c8fe55b36dc6331f4|Usermode command-line tool for rootkit, WinkbjC\r\n5113d2da6cd9f4a4a9123a3547b01250659dcc349c36159ee11b93805ce51105|Usermode command-line tool for rootkit, WinszBuC\r\ne6a9bf90accf17355a1f779d480a38838b2bbb2877cde095c7c139e041c50d71|IIS modules installation script, install.bat\r\ned2c4429cf27e19aa6881d86bc5b42c21470525564fc53be688b9b26c83db766|IIS modules installation script, hello.bat\r\n4c6703c7435759dbe0c889474a5fae4ca86e491ca45887a0dae3fcd4649e79c5|IIS modules installation script, install.bat, i\r\n0d07b8485145e0ea6789570b9ab476d8e1604110a9c45c9c753ef7bc5edfd539|Document listing IIS modules installation comma\r\na96e1643dedd472e5712282904110ee948592fab722dc87d8f1e7658d3d8449d|IIS modules removal script, uninstall.bat\r\nf9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1|Customized Hidden rootkit, Wingtb.sys\r\n88fd3c428493d5f7d47a468df985c5010c02d71c647ff5474214a8f03d213268|Customized Hidden rootkit, Wingtb.sys\r\naf05f1b780a14583887857cb87d697d985ce172abb1d57e4108cac5e5aaca136|Customized Hidden rootkit, Wingtb.sys\r\n83620389548516c74b40f9067ca20b7cc641a243c419d76ab2da87f8fd38e81c|Customized Hidden rootkit, Winkbj.sys.0xc8046ed\r\na8498295ec3557f1bf680a432acf415abf108405063f44d78974a4f27c27dd20|Driver setup information file for rootkit, Hidde\r\nfc16cb7949b0eb8f3ffa329bef753ee21440638c1ec0218c1e815ba49d7646bb|Driver setup information file for rootkit, Hidde\r\n82a1f8abffbd469e231eec5e0ac7e01eb6a83cbeb7e09eb8629bc5cc8ef12899|Driver catalog file for rootkit, Wingtb.cat\r\n13ebf6422fe07392c886c960fafb90ef1ba3561f00eedb121a136e7f6c29c9ee|Driver catalog file for rootkit, Wingtb.cat\r\nPossibly related hashes (SHA-256)\r\n64d0a4703ec976b0e0db4e193b9ccdf4ef6f34d24c32274579ee028a67bfa3a9|Variant of IIS HijackServer C++ module\r\nFile paths\r\nC:\\Windows\\System32\\inetsrv\\scripts.dll|IIS HijackServer C++ module\r\nC:\\Windows\\SysWOW64\\inetsrv\\scripts.dll|IIS HijackServer C++ module\r\nC:\\Windows\\System32\\inetsrv\\caches.dll|IIS HijackServer C++ module\r\nC:\\Windows\\SysWOW64\\inetsrv\\caches.dll|IIS HijackServer C++ module\r\nC:\\Windows\\System32\\drivers\\Wingtb.sys|Customized Hidden rootkit\r\nHostnames\r\nc.cseo99[.]com|HijackServer configuration stager\r\nf.fseo99[.]com|HijackServer files stager\r\napi.aseo99[.]com|HijackServer SEO telemetry endpoint\r\nc.cseo8[.]com|HijackServer configuration stager\r\nf.zseo8[.]com|HijackServer files stager\r\napi.xseo8[.]com|HijackServer reporting endpoint\r\nmlxya.oss-accelerate.aliyuncs[.]com|HijackServer JavaScript distribution stager (on legitimate Alibaba CDN)\r\nPossibly related domains\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 18 of 23\n\ngov[.]land|Staging server in older variant of IIS HijackServer C++ module (early and mid-2024)\r\ncn[.]lol|Staging server in older variant of IIS HijackServer C++ module (early and mid-2024)\r\norg[.]cfd|Staging server in older variant of IIS HijackServer C++ module (early and mid-2024)\r\nlseo99[.]com|Likely HijackServer infrastructure (2025)\r\njseo99[.]com|Likely HijackServer infrastructure (2025)\r\nwseo99[.]com|Likely HijackServer infrastructure (2025)\r\nwseo88[.]com|Likely HijackServer infrastructure (2024)\r\nfseo88[.]com|Likely HijackServer infrastructure (2024)\r\ncseo88[.]com|Likely HijackServer infrastructure (2024)\r\naseo88[.]com|Likely HijackServer infrastructure (2024)\r\nwseo8[.]com|Likely HijackServer infrastructure (2024)\r\nURLs\r\nhxxps://f.zseo8[.]com/uploads/2024-10-24/48c3a008cd9ccfa5fd3bdb69ed6d12ce.txt|Apache HijackServer PHP module\r\nhxxps://f.zseo8[.]com/uploads/2024-10-24/99749da89ec4d1e3f3179f119f2a955b.txt|Apache HijackServer PHP module\r\nYara rules\r\nrule iis_module_hijackserver_native {\r\n meta:\r\n description = \"Matches the IIS HijackServer module\"\r\n references = \"TRR251001\"\r\n hash = \"c1ca053e3c346513bac332b5740848ed9c496895201abc734f2de131ec1b9fb2\"\r\n date = \"2025-08-25\"\r\n author = \"HarfangLab\"\r\n context = \"file\"\r\n strings:\r\n $c1 = \".?AVCHttpModule@@\" ascii fullword\r\n $c2 = \".?AVCGlobalModule@@\" ascii fullword\r\n $m1 = \"RegisterModule\" ascii fullword\r\n $s1 = \"hack1234\" ascii\r\n $s2 = \"\u003c!- GP --\u003e\" ascii fullword\r\n $s3 = /\\.cseo\\d{1,3}\\.com\\/config\\// ascii\r\n $s4 = \":(80|443)(?=/|$)\" ascii fullword\r\n $s5 = \"TryCleanTmp:\" ascii\r\n $s6 = \"no excute \" ascii\r\n $s7 = \"\\\\b(\\\\d{1,2})-(\\\\d{1,2})-(\\\\d{4})\\\\b\" ascii fullword\r\n $s8 = \"/Tqpn0tGX550fVwt5D6g4CGWP6\" ascii\r\n $s9 = \"\\\\IISCPP-GM\\\\\" ascii\r\n $s10 = \"\\\\Dongtai.pdb\\x00\" ascii\r\n $s11 = \"_FAB234CD3-09434-88\" ascii\r\n $s12 = \"\u003cinput type='text' name='cmdml' place\" ascii\r\n $s13 = \".?AVHiJackServer@@\" ascii fullword\r\n $s14 = \".?AVWebdllServer@@\" ascii fullword\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 19 of 23\n\n$s15 = \".?AVAffLinkServer@@\" ascii fullword\r\n condition:\r\n uint16be(0) == 0x4D5A\r\n and filesize \u003e 200KB and filesize \u003c 2MB\r\n and $m1\r\n and (any of ($c*))\r\n and (4 of ($s*))\r\n}\r\nrule iis_module_hijackserver_dotnet {\r\n meta:\r\n description = \"Matches the IIS HijackServer .NET module\"\r\n references = \"TRR251001\"\r\n hash = \"915441b7d7ddb7d885ecfe75b11eed512079b49875fc288cd65b023ce1e05964\"\r\n date = \"2025-10-14\"\r\n author = \"HarfangLab\"\r\n context = \"file\"\r\n strings:\r\n $dotNet = \".NETFramework,Version=\" ascii\r\n $c1 = \"HttpApplication\" ascii fullword\r\n $c2 = \"IHttpModule\" ascii fullword\r\n $s1 = \"YourSecretKey123\" wide fullword\r\n $s2 = \"\u003c!- GP --\u003e\" wide fullword\r\n $s3 = /\\.cseo\\d{1,3}\\.com\\/config\\// wide\r\n $s4 = \":(80|443)(?=/|$)\" wide fullword\r\n $s5 = \"clean?type=all\" wide fullword\r\n $s6 = \"DealRequest\" ascii\r\n $s7 = \"\\\\Tiquan\\\\CustomIISModule\\\\\" ascii\r\n $s8 = \"\\\\CustomIISModule.pdb\\x00\" ascii\r\n $s9 = \"\\\\Temp\\\\AcpLogs\\\\conf\\\\\" wide\r\n $s10 = \"RobotTxtServer\" ascii fullword\r\n $s11 = \"HijackServer\" ascii fullword\r\n $s12 = \"WebdllServer\" ascii fullword\r\n $s13 = \"AffLinkServer\" ascii fullword\r\n condition:\r\n uint16be(0) == 0x4D5A\r\n and filesize \u003e 200KB and filesize \u003c 2MB\r\n and $dotNet\r\n and (all of ($c*))\r\n and (4 of ($s*))\r\n}\r\nrule apache_module_hijackserver_php_decoded {\r\n meta:\r\n description = \"Matches the decompressed and decoded Apache HijackServer PHP module\"\r\n references = \"TRR251001\"\r\n hash = \"e107bf25abc1cff515b816a5d75530ed4d351fa889078e547d7381b475fe2850\"\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 20 of 23\n\ndate = \"2025-10-15\"\r\n author = \"HarfangLab\"\r\n context = \"file\"\r\n strings:\r\n $php = /\\$_SERVER\\[\\s*['\"]PHP_SELF['\"]\\s*\\]/ ascii wide fullword\r\n $s1 = \"hj_clean_cache_dir\" ascii wide fullword\r\n $s2 = \"hj_get_file_content\" ascii wide fullword\r\n $s3 = \"\\\"清理目录空间 目录:\\\"\" ascii wide fullword\r\n $s4 = \"'/:(80|443)$/'\" ascii wide fullword\r\n $s5 = \"isCleanRequest()\" ascii wide fullword\r\n $s6 = \"shuffle_file_current_line\" ascii wide fullword\r\n $s7 = \"self::replaceAffLinkUrl\" ascii wide fullword\r\n $s8 = \"/Tqpn0tGX550fVwt5D6g4CGWP6\" ascii wide\r\n $s9 = \"HJ_CONFIG_URL_FORMAT\" ascii wide fullword\r\n $s10 = \"HJ_DEFAULT_LOCAL_LINK_NUM\" ascii wide fullword\r\n $s11 = \"renderHealthCheck\" ascii wide fullword\r\n $s12 = \"renderRedirect\" ascii wide fullword\r\n $s13 = \"renderAffLink\" ascii wide fullword\r\n condition:\r\n filesize \u003e 50KB and filesize \u003c 600KB\r\n and $php\r\n and (4 of ($s*))\r\n}\r\nrule apache_module_hijackserver_php {\r\n meta:\r\n description = \"Matches the encoded Apache HijackServer PHP module\"\r\n references = \"TRR251001\"\r\n hash = \"e107bf25abc1cff515b816a5d75530ed4d351fa889078e547d7381b475fe2850\"\r\n date = \"2025-10-15\"\r\n author = \"HarfangLab\"\r\n context = \"file\"\r\n strings:\r\n $s1 = \"\\\"display_errors\\\"\" ascii wide fullword\r\n $s2 = /\\$code\\s*=\\s*['\"]eJztvWl7XMXRMPydX3GsKJmRGS22sQF5IbIkYwVZ/ ascii wide\r\n $s3 = /eval\\(\\s*gzuncompress\\(\\s*base64_decode\\(\\s*\\$code\\s*\\)\\s*\\)\\s*\\);/ ascii wide nocase fullword\r\n condition:\r\n filesize \u003e 10KB and filesize \u003c 200KB\r\n and (all of them)\r\n}\r\nrule wingtb_rootkit {\r\n meta:\r\n description = \"Matches the customized Hidden rootkit, Wingtb.sys.\"\r\n references = \"TRR251001\"\r\n hash = \"f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1\"\r\n hash = \"88fd3c428493d5f7d47a468df985c5010c02d71c647ff5474214a8f03d213268\"\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 21 of 23\n\ndate = \"2025-10-15\"\r\n author = \"HarfangLab\"\r\n context = \"file\"\r\n strings:\r\n $a1 = \"\\\\Device\\\\WinkbjDamen\" wide fullword\r\n $a2 = \"\\\\DosDevices\\\\WinkbjDamen\" wide fullword\r\n $s1 = \"Kbj_Zhuangtai\" wide fullword\r\n $s2 = \"Kbj_YinshenMode\" wide fullword\r\n $s3 = \"Kbj_WinkbjFsDirs\" wide fullword\r\n $s4 = \"Kbj_WinkbjFsFiles\" wide fullword\r\n $s5 = \"Kbj_WinkbjRegKeys\" wide fullword\r\n $s6 = \"Kbj_WinkbjRegValues\" wide fullword\r\n $s7 = \"Kbj_FangxingImages\" wide fullword\r\n $s8 = \"Kbj_BaohuImages\" wide fullword\r\n $s9 = \"Kbj_WinkbjImages\" wide fullword\r\n $pdb = \"D:\\\\DriverSpace\\\\hidden\\\\x64\\\\Release\\\\Winkbj.pdb\" fullword\r\n condition:\r\n uint16be(0) == 0x4d5a and\r\n filesize \u003c 1MB and\r\n ((1 of ($a*) and 6 of ($s*)) or $pdb)\r\n}\r\nrule wingtb_rootkit_commandline_tool_wingtbcli {\r\n meta:\r\n description = \"Matches the usermode command-line tool for rootkit, WingtbCLI.exe.\"\r\n references = \"TRR251001\"\r\n hash = \"913431f1d36ee843886bb052bfc89c0e5db903c673b5e6894c49aabc19f1e2fc\"\r\n date = \"2025-10-15\"\r\n author = \"HarfangLab\"\r\n context = \"file\"\r\n strings:\r\n $s1 = \".?AVCommandUnignore@@\" fullword\r\n $s2 = \".?AVCommandUnprotect@@\" fullword\r\n $s3 = \".?AVCommandYinshen@@\" fullword\r\n $s4 = \"System\\\\CurrentControlSet\\\\Services\\\\Wingtb\" wide fullword\r\n $s5 = \"/buxiaoshi\" wide fullword\r\n $s6 = \"/fangxing\" wide fullword\r\n $s7 = \"/bufangxing\" wide fullword\r\n $s8 = \"/bubaohu\" wide fullword\r\n $s9 = \"/zhuangtai\" wide fullword\r\n $s10 = \"/yinshen\" wide fullword\r\n $s11 = \"Kbj_ShanchuFile\" wide fullword\r\n $s12 = \"Kbj_ShanchuDir\" wide fullword\r\n $s13 = \"Kbj_WinkbjRegValues\" wide fullword\r\n $s14 = \"Kbj_FangxingImages\" wide fullword\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 22 of 23\n\n$s15 = \"Kbj_Zhuangtai\" wide fullword\r\n $s16 = \"\\\\\\\\.\\\\WinkbjDamen\" wide fullword\r\n $pdb = \"D:\\\\DriverSpace\\\\hidden\\\\x64\\\\Release\\\\HiddenCLI.pdb\" fullword\r\n condition:\r\n uint16be(0) == 0x4d5a and\r\n filesize \u003c 1MB and\r\n (8 of ($s*) or $pdb)\r\n}\r\nSource: https://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nhttps://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/"
	],
	"report_names": [
		"rudepanda-owns-iis-servers-like-2003"
	],
	"threat_actors": [
		{
			"id": "0e62ad61-c51d-460e-a587-b11d17bb2fb3",
			"created_at": "2024-10-04T02:00:04.754794Z",
			"updated_at": "2026-04-10T02:00:03.712878Z",
			"deleted_at": null,
			"main_name": "DragonRank",
			"aliases": [],
			"source_name": "MISPGALAXY:DragonRank",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434542,
	"ts_updated_at": 1775826720,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c87a06d6a9c0f5827422db2d32a8125f8293fe2.pdf",
		"text": "https://archive.orkl.eu/3c87a06d6a9c0f5827422db2d32a8125f8293fe2.txt",
		"img": "https://archive.orkl.eu/3c87a06d6a9c0f5827422db2d32a8125f8293fe2.jpg"
	}
}