{
	"id": "67519974-c91d-4a63-914b-98d9285a9e1f",
	"created_at": "2026-04-06T00:19:39.845668Z",
	"updated_at": "2026-04-10T03:20:39.458469Z",
	"deleted_at": null,
	"sha1_hash": "4901caea5495abef031dea9396d11615d64876a5",
	"title": "IISpy: A complex server-side backdoor with anti-forensic features",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 422018,
	"plain_text": "IISpy: A complex server-side backdoor with anti-forensic features\r\nBy Zuzana Hromcová\r\nArchived: 2026-04-05 16:13:43 UTC\r\nESET researchers have discovered and analyzed a previously undocumented backdoor, implemented as an\r\nextension for Internet Information Services (IIS), Microsoft’s web server software. The backdoor, which we\r\nnamed IISpy, uses a variety of tricks to interfere with the server’s logging and to evade detection, in order to\r\nperform long-term espionage. IISpy is detected by ESET security solutions as Win{32,64}/BadIIS.\r\nThis blogpost is the second installment in our series where ESET researchers put IIS web server threats under the\r\nmicroscope – the other parts discuss IIS malware used for cybercrime and SEO fraud, respectively. For a\r\ncomprehensive guide to how to detect, analyze and remove IIS malware, refer to our white paper Anatomy of\r\nnative IIS malware, where IISpy is featured as one of the studied families (Group 7).\r\nAttack overview\r\nAccording to ESET telemetry, this backdoor has been active since at least July 2020, and has been used with Juicy\r\nPotato (detected as Win64/HackTool.JuicyPotato by ESET security solutions), which is a privilege escalation tool.\r\nWe suspect the attackers first obtain initial access to the IIS server via some vulnerability, and then use Juicy\r\nPotato to obtain the administrative privileges that are required to install IISpy as a native IIS extension.\r\nAccording to our telemetry, IISpy affects a small number of IIS servers located in Canada, the USA and the\r\nNetherlands – but this is likely not the full picture, as it is still common for administrators to not use any security\r\nsoftware on servers, and thus our visibility into IIS servers is limited.\r\nBecause IISpy is configured as an IIS extension, it can see all the HTTP requests received by the compromised IIS\r\nserver, and shape the HTTP response that the server will answer with. IISpy uses this channel to implement its\r\nC\u0026C communication, which allows it to operate as a passive network implant. As shown in Figure 1, the operator\r\n(not the backdoor) initiates the connection by sending a special HTTP request to the compromised server. The\r\nbackdoor recognizes the attacker request, extracts and executes the embedded backdoor commands, and modifies\r\nthe HTTP response to include the command output.\r\nThe following backdoor commands are supported:\r\nGet system information\r\nUpload/download files\r\nExecute files or shell commands\r\nCreate a reverse shell\r\nCreate/list/move/rename/delete files and folders\r\nCreate a mapping between a local and a remote drive\r\nExfiltrate collected data\r\nhttps://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/\r\nPage 1 of 12\n\nIISpy ignores all other HTTP requests sent to the compromised IIS server by its legitimate visitors – of course,\r\nthese are still handled by the benign server modules.\r\nFigure 1. IISpy backdoor control mechanism\r\nNetwork communication\r\nThe control requests from IISpy’s operators have a predefined structure, with a specific (hidden) relationship\r\nbetween the Cookie and Host headers, and the URL. To identify such requests, IISpy first computes the MD5 hash\r\nof both the URL and Host header of an inbound HTTP request, and splits each MD5 into four double words:\r\n\u003ch0\u003e\u003ch1\u003e\u003ch2\u003e\u003ch3\u003e = md5(Host Header value)\r\n\u003cr0\u003e\u003cr1\u003e\u003cr2\u003e\u003cr3\u003e = md5(Raw URL value)\r\nThen, it verifies that the Cookie header contains a substring built from these values:\r\n\u003cr1\u003e\u003ch2\u003e=\u003ch3\u003e\u003cr2\u003e\u003cr3\u003e\u003cr0\u003e\u003ch0\u003e\u003ch1\u003e\r\nFigure 2 illustrates how this substring is assembled. Backdoor commands are embedded in the HTTP body,\r\nAES‑CBC encrypted and base64 encoded.\r\nFigure 2. IISpy control HTTP request format\r\nNote that this structure of control requests is unique to IISpy: all the other known IIS backdoors (that we have\r\ndocumented in our white paper Anatomy of native IIS malware) are controlled by hardcoded passwords, specific\r\nhttps://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/\r\nPage 2 of 12\n\nURIs or custom HTTP headers. As opposed to those “secrets”, IISpy’s control requests are more difficult to\r\nfingerprint and find in logs, which is an attempt to keep its C\u0026C communication unnoticed.\r\nAnother such trick is used for the other side of the communication: IISpy embeds its encrypted and encoded\r\nresponse within a fake PNG image, between the PNG file headers as a TEXT or BLOB chunk. To reply to a\r\ncontrol HTTP request, IISpy replaces the original HTTP response body (sent by the IIS server) with the fake PNG\r\nfile, and sets the Content-Type header to image/png to give more credibility to this charade.\r\nBoth sides of the C\u0026C communication are AES-CBC encrypted and base64 encoded, using these parameters:\r\nEncryption key: DA1F8BE19D9122F6499D72B90299CAB080E9D599C57E802CD667BF53CCC9EAB2\r\nIV: 668EDC2D7ED614BF8F69FF614957EF83EE\r\nTechnical analysis\r\nFrom the technical standpoint, IISpy is implemented as a native IIS module – a C++ DLL deployed in the\r\n%windir%\\system32\\inetsrv\\ or the %windir%\\SysWOW64\\inetsrv folder on the compromised IIS server, under\r\nthe name cache.dll or logging.dll.\r\nIISpy is configured as an IIS extension in the %windir%\\system32\\inetsrv\\config\\ApplicationHost.config\r\nconfiguration file, and so it is loaded automatically by the IIS Worker Process (w3wp.exe), which handles all\r\nrequests sent to the IIS web server. As far as execution and persistence goes, configuring IISpy as an IIS module\r\nitself checks all the boxes – all that’s left to implement inside the malicious module is the actual request\r\nprocessing (and as a bonus, a few anti-detection and anti-forensic tricks). We cover both in this section.\r\nModule design\r\nIISpy is written using the IIS C++ API, and uses instances of IHttpContext, IHttpRequest and IHttpResponse\r\ninterfaces to parse HTTP requests and manipulate the HTTP responses.\r\nAs required by all native IIS modules, it exports a function called RegisterModule, where it creates an instance of\r\nits core classes and registers their methods for server events using the\r\nIHttpModuleRegistrationInfo::SetRequestNotifications method, as shown in Figure 3.\r\nhttps://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/\r\nPage 3 of 12\n\nFigure 3. IISpy's RegisterModule export\r\nIISpy’s core class is inherited from CHttpModule and, as seen in Figure 4, overrides three of its methods – event\r\nhandlers for the server events:\r\nOnBeginRequest is called every time the server starts processing a new HTTP request, and IISpy uses this\r\nhandler to parse it in search of attacker requests\r\nOnEndRequest, called with the last step within the HTTP request-processing pipeline, implements IISpy’s\r\nbackdoor interpreter\r\nOnLogRequest, called right before the IIS server logs a processed HTTP request, implements IISpy’s anti-logging feature\r\nIISpy registers these handlers with the highest priority (via the\r\nIHttpModuleRegistrationInfo::SetPriorityForRequestNotification API). Since several IIS modules (malicious and\r\nregular) can be registered for the same event, this ensures that IISpy’s handler will be executed before any other\r\nhandlers registered for the same event.\r\nhttps://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/\r\nPage 4 of 12\n\nFigure 4. IISpy's core class implements three event handlers\r\nBackdoor commands\r\nIn its OnEndRequest handler, IISpy decrypts the HTTP body of an attacker’s request and extracts its parameters,\r\nwhich are organized as key-value pairs and listed in Table 1.\r\nTable 1. IISpy attacker request parameters\r\nKey Value\r\n/mode Command type\r\n/action Command\r\n/path\r\n/binary\r\nCommand arguments (see Table 2 for full list)\r\nhttps://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/\r\nPage 5 of 12\n\nKey Value\r\n/data\r\n…\r\n/credential/username Local user username, used for impersonation\r\n/credential/password Local user password, used for impersonation\r\nIf the credentials are present, IISpy uses them to log in as the user (via LogonUserW, ImpersonateLoggedOnUser)\r\nto execute the backdoor commands in the user’s context. The backdoor commands and arguments are also\r\norganized as nested key-value pairs, as listed in Table 2.\r\nTable 2. IISpy backdoor commands and arguments\r\nCommand\r\ntype (/mode\r\nvalue)\r\nCommand\r\n(/action\r\nvalue)\r\nArguments\r\n(key names)\r\nCommand description\r\nReturned data (map\r\nstructure or description)\r\ninit N/A N/A\r\nCollects basic system\r\ninformation: computer\r\nname and domain,\r\nusername and domain,\r\nlogical drives information.\r\n/computer/domain\r\n/computer/name\r\n/user/domain\r\n/user/name\r\n/-\r\n  /name\r\n  /type\r\nfile\r\nlist /path\r\nCollects information about\r\nthe files in the specified\r\nfolder.\r\n/-\r\n  /name\r\n  /attr\r\n  /size\r\n  /create\r\n  /access\r\n  /write\r\nget\r\n/path\r\n/binary\r\nDownloads the file with the\r\nspecified name from the\r\ncompromised IIS server.\r\nThe contents of the file,\r\nencrypted and embedded\r\nwithin a fake PNG image (a\r\nPNG header followed by\r\nnon-image data).\r\nhttps://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/\r\nPage 6 of 12\n\nCommand\r\ntype (/mode\r\nvalue)\r\nCommand\r\n(/action\r\nvalue)\r\nArguments\r\n(key names)\r\nCommand description\r\nReturned data (map\r\nstructure or description)\r\ncreate\r\n/path\r\n/directory\r\n/data\r\nCreates a new file or\r\ndirectory in the specified\r\npath. Optional /data\r\nargument can hold the file\r\ncontent.\r\n/-\r\n  /file\r\n  /attr\r\n  /size\r\n  /create\r\n  /access\r\n  /write\r\nupload\r\n/path\r\n/data\r\nUploads a file with the\r\nspecified name to the\r\ncompromised server. The\r\n/data entry contains base64-\r\nencoded file content.\r\n/-\r\n  /file\r\n  /attr\r\n  /size\r\n  /create\r\n  /access\r\n  /write\r\ndelete\r\n/path\r\n/files\r\n  /name\r\n  /attr\r\nDeletes the list of\r\nfiles/directories in the given\r\npath.\r\n/files\r\n  /code\r\n  /name\r\nmove\r\n/path\r\n/dest\r\n/copy\r\n/files\r\n  /name\r\n  /new\r\nCopies or renames files\r\nfrom the list, from the\r\nsource directory to the\r\ndestination directory.\r\n/files\r\n  /code\r\n  /name\r\ntime\r\n/path\r\n/create\r\n/access\r\n/write\r\nModifies file timestamps N/A\r\ndrive\r\nmap\r\n/letter\r\n/share\r\n/username\r\n/password\r\nCreates a mapping between\r\na local and a remote drive,\r\nusing the specified\r\ncredentials for the network\r\nresource.\r\nN/A\r\nremove /letter\r\nRemoves an existing drive\r\nmapping\r\nN/A\r\nhttps://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/\r\nPage 7 of 12\n\nCommand\r\ntype (/mode\r\nvalue)\r\nCommand\r\n(/action\r\nvalue)\r\nArguments\r\n(key names)\r\nCommand description\r\nReturned data (map\r\nstructure or description)\r\ncmd exec /cmd\r\nExecutes the specified\r\ncommand, either under the\r\ncontext of the current user,\r\nor the user provided in\r\narguments. Returns the\r\ncommand output.\r\n/output\r\nAfter executing the backdoor command, IISpy encrypts and encodes its return data and uses it to modify the\r\nHTTP response to the attacker’s request. The return data is also organized as key-value pairs, with the entries\r\nlisted in Table 2, plus two additional entries based on the GetLastError result (or custom error messages):\r\n/error/code\r\n/error/message\r\nAnti-logging feature\r\nFinally, IISpy implements the OnLogRequest event handler – called right before the IIS server logs a processed\r\nHTTP request. The backdoor uses this handler to modify the log entries for requests coming from the attackers to\r\nmake them look like casual requests. As shown in Figure 5, these steps are taken:\r\nRewrite the HTTP method in the request to GET\r\nRewrite the URL from the request to /\r\nDelete these headers from the request: Cookie, Origin, Referer, Sec-Fetch-Mode, Sec-Fetch-Site, Content-Type, Content-Length, X-Forwarded-IP, X-Forwarded-For, X-Forwarded-By, X-Forwarded-Proto\r\nWith the log entries modified this way, the attackers attempt to further hide traces of their malicious activities, to\r\nmake potential forensic analysis more difficult.\r\nhttps://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/\r\nPage 8 of 12\n\nFigure 5. IISpy modifies log entries for attacker requests\r\nConclusion\r\nIISpy is a complex server-side backdoor misusing the extensibility of IIS web server software for its persistence,\r\nexecution and C\u0026C mechanisms. With its tricks to blend in with the regular network traffic, and to clear\r\nincriminating logs, it is designed for long term espionage on compromised IIS servers.\r\nOrganizations that handle sensitive data on their servers should be on the lookout, such as organizations that have\r\nthe Outlook on the web (OWA) service enabled on their Exchange email servers – OWA is implemented via IIS,\r\nand makes an interesting target for espionage. In any case, the best way to keep IISpy out of your servers is to\r\nkeep them up to date, and carefully consider which services are exposed to the internet, to reduce the risk of server\r\nexploitation.\r\nAdditional technical details on the malware, Indicators of Compromise and YARA rules can be found in our\r\ncomprehensive white paper, and on GitHub. For any inquiries, or to make sample submissions related to the\r\nsubject, contact us at: threatintel@eset.com.\r\nRead also:\r\nAnatomy of native IIS malware\r\nIIStealer: A server‑side threat to e‑commerce transactions\r\nIISerpent: Malware‑driven SEO fraud as a service\r\nIndicators of Compromise (IoCs)\r\nESET detection names\r\nhttps://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/\r\nPage 9 of 12\n\nWin32/BadIIS.F\r\nWin64/BadIIS.U\r\nSHA-1\r\n22F8CA2EB3AF377E913B6D06B5A3618D294E4331\r\n435E3795D934EA8C5C7F4BCFEF2BEEE0E3C76A54\r\nCED7BC6E0F1A15465E61CFEC87AAEF98BD999E15\r\nFilenames\r\ncache.dll\r\nlogging.dll\r\nMITRE ATT\u0026CK techniques\r\nNote: This table was built using version 9 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nIISpy is a custom-made malware family.\r\nT1588.002\r\nObtain Capabilities:\r\nTool\r\nOperators of IISpy have used Juicy Potato , a\r\nlocal privilege escalation tool.\r\nInitial Access T1190\r\nExploit Public-Facing\r\nApplication\r\nIISpy likely obtains its initial access to the IIS\r\nserver via some vulnerability in the web\r\napplication or on the server, before it uses the\r\nprivilege escalation tool Juicy Potato to obtain\r\nthe administrative privileges that are required to\r\ninstall a native IIS module.\r\nExecution\r\nT1059.003\r\nCommand and\r\nScripting Interpreter:\r\nWindows Command\r\nShell\r\nIISpy supports a backdoor command that uses the\r\nWindows command shell to execute shell\r\ncommands on the compromised IIS server.\r\nT1569.002\r\nSystem Services:\r\nService Execution\r\nIIS server (and by extension, IISpy) persists as a\r\nWindows service.\r\nPersistence T1546\r\nEvent Triggered\r\nExecution\r\nIISpy is loaded by IIS Worker Process\r\n(w3wp.exe) when the IIS server receives an\r\ninbound HTTP request.\r\nhttps://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/\r\nPage 10 of 12\n\nTactic ID Name Description\r\nPrivilege\r\nEscalation\r\nT1068\r\nExploitation for\r\nPrivilege Escalation\r\nOperators of IISpy have used a local privilege\r\nescalation tool Juicy Potato to elevate privileges.\r\nDefense\r\nEvasion\r\nT1134.001\r\nAccess Token\r\nManipulation: Token\r\nImpersonation/Theft\r\nIISpy has the ability to execute backdoor\r\ncommands in another user’s context (via\r\nLogonUserW, ImpersonateLoggedOnUser).\r\nT1070\r\nIndicator Removal on\r\nHost\r\nIISpy has the ability to sanitize logging of\r\nattacker requests on the IIS server.\r\nT1070.006\r\nIndicator Removal on\r\nHost: Timestomp\r\nIISpy supports a backdoor command to modify\r\nfile timestamps.\r\nCollection T1005\r\nData from Local\r\nSystem\r\nIISpy supports a backdoor command to collect\r\nand exfiltrate files from the compromised IIS\r\nserver.\r\nCommand\r\nand Control\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nIISpy is a passive network implant: Adversaries\r\nsend HTTP requests to the compromised IIS\r\nserver to control the backdoor.\r\nT1001 Data Obfuscation\r\nIISpy operators send commands with a specially\r\nconstructed combination of URLs, Host headers\r\nand cookies.\r\nIISpy exfiltrates data in a fake PNG file (a PNG\r\nheader followed by non-image data), in an\r\nattempt to make its C\u0026C traffic look like regular\r\nnetwork traffic.\r\nT1132.001\r\nData Encoding:\r\nStandard Encoding\r\nIISpy encodes the C\u0026C communication with\r\nbase64 encoding.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric\r\nCryptography\r\nIISpy uses AES-CBC to encrypt C\u0026C\r\ncommunication.\r\nT1105 Ingress Tool Transfer\r\nIISpy supports a backdoor command to upload\r\nadditional tools to the compromised IIS server.\r\nExfiltration T1041\r\nExfiltration Over C2\r\nChannel\r\nIISpy supports a backdoor command to exfiltrate\r\ndata and files from the compromised IIS server.\r\nhttps://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/\r\nPage 11 of 12\n\nSource: https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/\r\nhttps://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/"
	],
	"report_names": [
		"iispy-complex-server-side-backdoor-antiforensic-features"
	],
	"threat_actors": [],
	"ts_created_at": 1775434779,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4901caea5495abef031dea9396d11615d64876a5.pdf",
		"text": "https://archive.orkl.eu/4901caea5495abef031dea9396d11615d64876a5.txt",
		"img": "https://archive.orkl.eu/4901caea5495abef031dea9396d11615d64876a5.jpg"
	}
}