{
	"id": "2308d3ee-95a5-4a83-9ad8-5b8eabe9b247",
	"created_at": "2026-04-06T00:13:11.930857Z",
	"updated_at": "2026-04-10T13:12:28.163176Z",
	"deleted_at": null,
	"sha1_hash": "d4864dab4d59af90820d8f79a9a9400c7bac54e0",
	"title": "Anatomy of native IIS malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 746888,
	"plain_text": "Anatomy of native IIS malware\r\nBy Zuzana HromcováAnton Cherepanov\r\nArchived: 2026-04-05 17:39:20 UTC\r\nESET researchers have discovered a set of previously undocumented malware families, implemented as malicious\r\nextensions for Internet Information Services (IIS) web server software. Targeting both government mailboxes and e-commerce transactions, as well as aiding in malware distribution, this diverse class of threats operates by eavesdropping on\r\nand tampering with the server’s communications.\r\nAlong with a complete breakdown of the newly discovered families, our new paper, Anatomy of native IIS malware,\r\nprovides a comprehensive guide to help fellow security researchers and defenders detect, dissect and mitigate this class of\r\nserver-side threats. In this blogpost, we summarize the findings of the white paper.\r\nToday, we are also launching a series of blogposts where we introduce the most notable of the newly discovered IIS malware\r\nfamilies, as case studies of how this type of malware is used for cybercrime, cyberespionage and SEO fraud.\r\nThe findings of our IIS malware research were first presented at Black Hat USA 2021 and will also be shared with the\r\ncommunity at the Virus Bulletin 2021 conference on October 8th.\r\nIIS is Microsoft Windows web server software with an extensible, modular architecture that, since v7.0, supports two types\r\nof extensions – native (C++ DLL) and managed (.NET assembly) modules. Focusing on malicious native IIS modules, we\r\nhave found over 80 unique samples used in the wild and categorized them into 14 malware families – 10 of which were\r\npreviously undocumented. ESET security solutions detect these families as Win{32,64}/BadIIS and Win{32,64}/Spy.IISniff.\r\nHow IIS malware operates\r\nIIS malware is a diverse class of threats used for cybercrime, cyberespionage, and SEO fraud – but in all cases, its main\r\npurpose is to intercept HTTP requests incoming to the compromised IIS server and affect how the server responds to (some\r\nof) these requests.\r\nWith the default installation, IIS itself is persistent, so there is no need for extension-based IIS malware to implement\r\nadditional persistence mechanisms. Once configured as an IIS extension, the malicious IIS module is loaded by the IIS\r\nWorker Process (w3wp.exe), which handles requests sent to the server – this is where IIS malware can interfere with the\r\nrequest processing.\r\nWe identified five main modes in which IIS malware operates, as illustrated in Figure 1:\r\nIIS backdoors allow their operators to remotely control the compromised computer with IIS installed\r\nIIS infostealers allow their operators to intercept regular traffic between the compromised server and its legitimate\r\nvisitors, to steal information such as login credentials and payment information. Using HTTPS doesn’t prevent this\r\nattack, as IIS malware can access all data handled by the server – which is where the data is processed in its\r\nunencrypted state.\r\nIIS injectors modify HTTP responses sent to legitimate visitors to serve malicious content\r\nIIS proxies turn the compromised server into an unwitting part of the C\u0026C infrastructure for another malware family,\r\nand misuse the IIS server to relay communication between victims of that malware and the real C\u0026C server\r\nSEO fraud IIS malware modifies the content served to search engines to manipulate SERP algorithms and boost the\r\nranking for other websites of interest to the attackers\r\nhttps://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/\r\nPage 1 of 8\n\nFigure 1. Overview of IIS malware mechanisms\r\nAll of these malware types are discussed at length in the paper.\r\nHow (and where) it spreads\r\nNative IIS modules have unrestricted access to any resource available to the server worker process – thus, administrative\r\nrights are required to install native IIS malware. This considerably narrows down the options for the initial attack vector. We\r\nhave seen evidence for two scenarios:\r\nIIS malware spreading as a trojanized version of a legitimate IIS module\r\nIIS malware spreading through server exploitation\r\nFor example, between March and June 2021, we detected a wave of IIS backdoors spread via the Microsoft Exchange pre-authentication RCE vulnerability chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065),\r\naka ProxyLogon. Targeted specifically were Exchange servers that have Outlook on the web (aka OWA) enabled – as IIS is\r\nused to implement OWA, these were a particularly interesting target for espionage.\r\nAfter our colleagues reported the first such case in March 2021, we have detected four more campaigns of various IIS\r\nbackdoors spreading to Microsoft Exchange servers through the same vulnerability. To complement our telemetry, we have\r\nperformed internet-wide scans to detect the presence of these backdoors, which allowed us to identify and notify other\r\nvictims of the malware.\r\nFigure 2 shows the geographical locations of servers affected by these five campaigns, using data from our telemetry and\r\ninternet-wide scans.\r\nhttps://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/\r\nPage 2 of 8\n\nFigure 2. Victims of native IIS backdoors spread via the ProxyLogon vulnerability chain\r\nThe following entities were among the victims:\r\nGovernment institutions in three countries in Southeast Asia\r\nA major telecommunications company in Cambodia\r\nA research institution in Vietnam\r\nDozens of private companies in a range of industries, located mostly in Canada, Vietnam and India, and others in the\r\nUSA, New Zealand, South Korea, and other countries\r\nNote that while IIS backdoors may be well-suited for spying on high-profile mailboxes, victims of IIS malware are not\r\nlimited to compromised servers – all legitimate visitors of the websites hosted by these servers are potential targets, as the\r\nmalware can be used to steal sensitive data from the visitors (IIS infostealers) or serve malicious content (IIS injectors).\r\nPlease refer to the full white paper for the details on the targets of the other analyzed IIS families.\r\nThe insides of native IIS malware\r\nFrom the technical perspective, all types of native IIS malware are implemented as dynamic-link libraries (DLLs), written\r\nusing the IIS C++ API. Any such DLL must:\r\nImplement a class inherited from either the CHttpModule or CGlobalModule class (or both), and override a number\r\nof that class’s methods (event handlers)\r\nExport the RegisterModule function, which is the library entry point, responsible for creating the instances of these\r\nclasses and registering the implemented handlers for server events, as illustrated in Figure 3.\r\nhttps://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/\r\nPage 3 of 8\n\nFigure 3. A typical RegisterModule function of native IIS malware\r\nServer events refer to the steps that the IIS server takes during request processing (see Figure 4), but also to other actions\r\ntaken by the server (for example, sending an HTTP response). These events generate event notifications, which are handled\r\nby event handlers implemented in the server’s modules (see Figure 5).\r\nFigure 4. HTTP request-processing pipeline in IIS\r\nIn short, the event handlers (or the methods of IIS module core classes) are where the IIS malware functionality is\r\nimplemented and where any reverse engineers should focus their analysis. For a deep dive into IIS malware essentials and\r\nhow to analyze such binaries, refer to the Anatomy of native IIS malware section of our white paper.\r\nhttps://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/\r\nPage 4 of 8\n\nFigure 5. Event handlers: methods of the module classes, CHttpModule and CGlobalModule\r\nNetwork communication\r\nA notable feature of IIS malware is how it communicates with its operators. Malicious IIS modules, especially IIS\r\nbackdoors, don’t usually create new connections to their C\u0026C servers. They work as passive implants, allowing the\r\nattackers to control them by providing some “secret” in an HTTP request sent to the compromised IIS web server. That’s\r\nwhy IIS backdoors usually have a mechanism to recognize attacker requests that are used to control the server and have a\r\npredefined structure, such as:\r\nURL or request body matching a specific regex\r\nA specific custom HTTP header present\r\nAn embedded token (in the URL, request body or one of the headers) matching a hardcoded password\r\nA hash value of an embedded token matching a hardcoded value\r\nA more complex condition – for example, a relationship between all of the above\r\nFigure 6. Passive C\u0026C communication channel (IIS backdoors)\r\nOn the other hand, some IIS malware categories do implement an alternative C\u0026C channel – using protocols such as HTTP\r\nor DNS – to obtain the current configuration on the fly. For example, an IIS injector contacts its C\u0026C server every time\r\nthere is a new request from a legitimate visitor of the compromised website, and uses the server response to modify the\r\ncontent served to that visitor (such as malicious code or adware).\r\nhttps://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/\r\nPage 5 of 8\n\nFigure 7. Alternative C\u0026C communication mechanism (IIS injectors)\r\nTable 1 summarizes how the C\u0026C channels, as well as other notable techniques, are implemented by the 14 analyzed IIS\r\nmalware families.\r\nTable 1. Summary of obfuscations implemented, and functionalities supported by analyzed IIS malware families\r\nGroup # Functionality #colspan# #colspan# #colspan# #colspan#\r\nC\u0026C\r\nchannel\r\n#colspan# #colspan#\r\nDete\r\nevas\r\nand\r\nobfu\r\ntech\r\nBackdoor\r\nInfostealer Proxy SEO fraud Injector\r\nAttacker request\r\nverification\r\n(e.g. specific\r\nheader present,\r\nspecific URI,\r\nquery string\r\nparameter)\r\nEncryption/\r\nencoding\r\nAlternative\r\nchannel\r\nprotocol\r\n#rowspan#\r\nGroup 1 ✅ ✅ ❌ ❌ ❌\r\nHTTP\r\nheader\r\nwith\r\nhardcoded\r\npassword\r\nbase64 ❌\r\nGroup 2 ✅ ❌ ❌ ❌ ❌\r\nHTTP\r\nheader with\r\nhardcoded\r\npassword\r\nRSA +\r\nAES-CBC ❌ ❌\r\nGroup 3 ✅ ❌ ❌ ❌ ❌\r\nHTTP\r\nheader\r\npresent\r\nbase64 ❌ ❌\r\nGroup 4 ✅ ❌ ❌ ❌ ❌\r\nHTTP\r\nheader with\r\nhardcoded\r\npassword\r\nXOR +\r\nbase64 ❌\r\nAnti\r\nlogg\r\nGroup 5 ❌ ✅ ❌ ❌ ❌\r\nURI and\r\nHTTP\r\nheader with\r\nhardcoded\r\npassword\r\n❌ ❌\r\nStrin\r\nstack\r\nGroup 6 ❌ ✅ ❌ ❌ ❌\r\nQuery string\r\nparameter\r\n❌ ❌ ❌\r\nGroup 7 ✅ ❌ ❌ ❌ ❌ Relationship\r\nbetween\r\nAES-CBC ❌ Anti\r\nlogg\r\nhttps://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/\r\nPage 6 of 8\n\nGroup # Functionality #colspan# #colspan# #colspan# #colspan#\r\nC\u0026C\r\nchannel\r\n#colspan# #colspan#\r\nDete\r\nevas\r\nand\r\nobfu\r\ntech\r\nHTTP\r\nheaders,\r\nHTTP body\r\nformat\r\nGroup 8 ✅ ❌ ❌ ❌ ❌\r\nHTTP\r\nheader with\r\nhardcoded\r\npassword\r\n❌ ❌ ❌\r\nGroup 9 ❌ ❌ ✅ ✅ ❌\r\nNo support\r\nfor attacker\r\nrequests\r\n❌ HTTP\r\nEncr\r\nstrin\r\n(XO\r\nGroup 10 ❌ ❌ ❌ ✅ ❌\r\nNo support\r\nfor attacker\r\nrequests\r\n❌\r\nHTTP to\r\nobtain\r\nJavaScript\r\nconfig\r\n❌\r\nGroup 11 ✅ ❌ ✅ ✅ ✅\r\nHTTP\r\nheader with\r\nhardcoded\r\npassword\r\n❌\r\nDNS TXT\r\nto obtain\r\nconfig,\r\nHTTP for\r\nC\u0026C\r\nStrin\r\nencr\r\n(AD\r\n0x02\r\nGroup 12,\r\nvariant A ✅ ❌ ✅ ✅ ✅\r\nHTTP\r\nheader with\r\npassword\r\nwhose MD5\r\nhash is\r\nhardcoded\r\n❌ HTTP\r\nStrin\r\nencr\r\n(AD\r\n0x01\r\nGroup 12,\r\nvariant B ✅ ❌ ❌ ✅ ✅ #rowspan# ❌ HTTP\r\nUPX\r\npack\r\nGroup 12,\r\nvariant C ❌ ❌ ❌ ✅ ❌\r\nNo support\r\nfor attacker\r\nrequests\r\n❌ HTTP\r\nStrin\r\nencr\r\n(XO\r\n0x0C\r\nGroup 13 ✅ ❌ ❌ ✅ ❌\r\nQuery string\r\nparameter\r\n❌ HTTP ❌\r\nGroup 14 ❌ ❌ ❌ ✅ ✅\r\nNo support\r\nfor attacker\r\nrequests\r\n❌ HTTP ❌\r\nMitigation\r\nSince native IIS modules can only be installed with administrative privileges, the attackers first need to obtain elevated\r\naccess to the IIS server. The following recommendations could help make their work harder:\r\nUse dedicated accounts with strong, unique passwords for the administration of the IIS server. Require multifactor\r\nauthentication (MFA) for these accounts. Monitor the usage of these accounts.\r\nRegularly patch your OS, and carefully consider which services are exposed to the internet, to reduce the risk of\r\nserver exploitation.\r\nhttps://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/\r\nPage 7 of 8\n\nConsider using a web application firewall, and/or endpoint security solution on your IIS server.\r\nNative IIS modules have unrestricted access to any resource available to the server worker process; you should only\r\ninstall native IIS modules from trusted sources to avoid downloading their trojanized versions. Be especially aware of\r\nmodules promising too-good-to-be-true features such as magically improving SEO.\r\nRegularly check the IIS server configuration to verify that all the installed native modules are legitimate (signed by a\r\ntrusted provider, or installed on purpose).\r\nFor details on how to detect and remove IIS malware, refer to the Mitigation section of the white paper. We are also\r\npublishing a set of YARA rules that you can leverage to detect all the 14 analyzed IIS malware families.\r\nConclusion\r\nInternet Information Services web servers have been targeted by various malicious actors, for cybercrime and\r\ncyberespionage alike. The software’s modular architecture, designed to provide extensibility for web developers, can be a\r\nuseful tool for attackers to become a part of the IIS server, and intercept or modify its traffic.\r\nIt is still quite rare for endpoint (and other) security software to run on IIS servers, which makes it easy for attackers to\r\noperate unnoticed for long periods of time. This should be disturbing for all serious web portals that want to protect their\r\nvisitors’ data, including authentication and payment information. Organizations that use OWA should also pay attention, as it\r\ndepends on IIS and could be an interesting target for espionage.\r\nWhile IIS server threats are not limited to native IIS malware, we believe this paper will be a helpful starting point for\r\ndefenders for understanding, identifying, and removing IIS threats, and a guide to our fellow researchers to reverse engineer\r\nthis class of threats and understand their common tactics, techniques and procedures.\r\nAdditional technical details on the malware and Indicators of Compromise can be found in our comprehensive white paper,\r\nand on GitHub. For any inquiries, or to make sample submissions related to the subject, contact us at:\r\nthreatintel@eset.com.\r\nAcknowledgements to fellow ESET malware researchers Marc-Étienne Léveillé and Mathieu Tartare for their work on this\r\ninvestigation.\r\nRead next:\r\nIIStealer: A server‑side threat to e‑commerce transactions\r\nIISpy: A complex server‑side backdoor with anti‑forensic features\r\nIISerpent: Malware‑driven SEO fraud as a service\r\nSource: https://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/\r\nhttps://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/"
	],
	"report_names": [
		"anatomy-native-iis-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434391,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d4864dab4d59af90820d8f79a9a9400c7bac54e0.pdf",
		"text": "https://archive.orkl.eu/d4864dab4d59af90820d8f79a9a9400c7bac54e0.txt",
		"img": "https://archive.orkl.eu/d4864dab4d59af90820d8f79a9a9400c7bac54e0.jpg"
	}
}