Executive Summary
Recent OTX Pulse data reveals two distinct but concerning threat campaigns:
-
OP-512 China-Linked Espionage Campaign: A newly identified China-linked espionage cluster designated OP-512 has been discovered targeting Internet Information Services (IIS) servers through advanced AI-driven detection. The operation involves deploying a sophisticated custom web shell framework consisting of three components: a file manager with command-and-control notification channel and two cryptographically authenticated command handlers. The campaign leverages multiple malware families including GhostKit, BadPotato variants, Meterpreter, PlugX, Thoper, TVT, DestroyRAT, Sogu, Kaba, Korplug, Cobalt Strike, Rungan, Gamshen, and BadIIS.
-
UNC3753 Targeted Campaign Against US Law Firms: From January through May 2026, a financially motivated data theft extortion campaign executed by threat cluster UNC3753 has targeted dozens of organizations across professional, legal, and financial services in the United States. The threat actors leverage voice phishing and social engineering techniques, posing as IT support to convince targets to host screen-sharing sessions and download remote monitoring tools, which leads to deployment of ransomware (LOCKBIT.BLACK), loaders (BAZARLOADER), and credential stealers (TrickBot, Ursnif, Gozi-ISFB).
Both campaigns demonstrate sophisticated techniques, with OP-512 focusing on espionage using advanced web shell frameworks against IIS infrastructure, while UNC3753 employs targeted social engineering against high-value professional services organizations for financial gain through data theft and extortion.
Threat Actor / Malware Profile
OP-512 (China-Linked Espionage Actor)
- Distribution Method: Exploitation of IIS server vulnerabilities, potentially including unpatched services or misconfigurations
- Payload Behavior: Deploys a sophisticated three-component custom web shell framework:
- File manager with C2 notification channel
- Cryptographically authenticated command handlers (2 components)
- C2 Communication: Uses identified IP infrastructure across Singapore, Hong Kong, and China with custom ports (8053, 443)
- Persistence Mechanism: Web shell deployment on IIS servers enables persistent access through compromised web services
- Anti-Analysis Techniques: Uses timestomping to hide file artifacts; likely employs encryption for C2 communications
GhostKit (Malware in OP-512 Arsenal)
- Distribution Method: Deployed through the OP-512 web shell framework
- Payload Behavior: Advanced web shell with file management capabilities and encrypted C2 communication
- C2 Communication: Cryptographically authenticated communications with OP-512 infrastructure
- Persistence Mechanism: Maintains persistence through web shell installation on IIS servers
- Anti-Analysis Techniques: Timestomping and encrypted communications
BadPotato/SweetPotato/EfsPotato (Privilege Escalation Tools in OP-512 Arsenal)
- Distribution Method: Likely deployed by GhostKit or other OP-512 tools
- Payload Behavior: Exploit Windows privilege escalation vulnerabilities (potentially COM/DCOM abuses)
- C2 Communication: May be used in conjunction with C2 tools like Cobalt Strike or Meterpreter
- Persistence Mechanism: Enables higher privilege access for deployment of persistent mechanisms
- Anti-Analysis Techniques: Typically rely on legitimate Windows mechanisms that evade simple detection
PlugX (RAT in OP-512 Arsenal)
- Distribution Method: Deployed through OP-512 web shell framework
- Payload Behavior: Remote Access Trojan with full system control capabilities
- C2 Communication: Custom encrypted C2 protocol
- Persistence Mechanism: Registry modification, scheduled tasks, or service installation
- Anti-Analysis Techniques: Anti-debugging, VM detection, encryption
UNC3753 (Financially Motivated Threat Actor)
- Distribution Method: Voice phishing and social engineering, posing as IT support
- Payload Behavior: Initial access through screen-sharing sessions, followed by malware deployment
- C2 Communication: Uses legitimate-looking domains for C2 infrastructure
- Persistence Mechanism: Scheduled tasks, registry modifications
- Anti-Analysis Techniques: Living off the land techniques, obfuscation
BAZARLOADER (Loader in UNC3753 Arsenal)
- Distribution Method: Delivered via social engineering and screen-sharing sessions
- Payload Behavior: Downloader/loader that deploys secondary payloads including ransomware and banking trojans
- C2 Communication: Uses legitimate-looking domains for C2 communication
- Persistence Mechanism: Registry Run keys, scheduled tasks
- Anti-Analysis Techniques: Obfuscation, DLL side-loading, process hollowing
TrickBot (Banking Trojan in UNC3753 Arsenal)
- Distribution Method: Deployed by BAZARLOADER after initial access
- Payload Behavior: Banking trojan with credential harvesting and lateral movement capabilities
- C2 Communication: Encrypted C2 communications with multiple fallback domains
- Persistence Mechanism: Scheduled tasks, registry modifications
- Anti-Analysis Techniques: Anti-debugging, code injection, obfuscation
LOCKBIT.BLACK (Ransomware in UNC3753 Arsenal)
- Distribution Method: Deployed after credential theft and lateral movement
- Payload Behavior: Ransomware that encrypts files and exfiltrates data for double extortion
- C2 Communication: Uses Tor-based C2 infrastructure
- Persistence Mechanism: Encrypts system files to prevent recovery
- Anti-Analysis Techniques: Anti-debugging, VM detection, encryption
IOC Analysis
The OTX pulses provide several types of indicators that security teams can operationalize:
-
IPv4 Addresses (3):
- 43.160.202.246 (Singapore)
- 124.156.129.151 (Hong Kong)
- 140.206.161.227 (China) These addresses likely serve as C2 infrastructure for OP-512. SOC teams should block these at the perimeter, configure firewall rules to deny connections, and hunt for any internal systems communicating with these IPs. Tools like Firewall logs, NetFlow data, and SIEM correlation can help identify traffic to these IPs.
-
URLs (2):
- http://140.206.161.227:443
- http://43.160.202.246:8053 These URLs represent potential C2 communication endpoints. Security teams should block access to these URLs in proxy servers, configure SIEM alerts for connections to these endpoints, and investigate any historical connections. URL filtering tools and network traffic analysis can help detect connections to these URLs.
-
Domains (4):
- hcgos.com
- business-data-leaks.com
- lockbit.black
- itdesk.com The domains serve various purposes: C2 infrastructure (hcgos.com for OP-512), credential harvesting (business-data-leaks.com for UNC3753), ransomware payment site (lockbit.black), and likely initial access phishing site (itdesk.com). Teams should implement DNS Sinkholing, block resolution of these domains, and search for any historical DNS queries or HTTP/HTTPS connections to these domains. DNS analytics and proxy logs are valuable for this analysis.
-
Hostname (1):
- ashx.lhlsjcb.com This hostname is likely related to OP-512's web shell infrastructure. Security teams should add this to blocklists and monitor for any traffic to this hostname. Network traffic analysis and SIEM correlation can help identify connections to this hostname.
Detection Engineering
Sigma Rules
---
title: Potential OP-512 Web Shell Activity on IIS
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects potential web shell activity associated with OP-512 campaign targeting IIS servers
status: experimental
author: Security Arsenal
date: 2026/07/05
references:
- https://reliaquest.com/blog/threat-spotlight-reliaquests-agentic-ai-uncovers-new-china-linked-cluster-op-512
tags:
- attack.persistence
- attack.webshell
- attack.t1505.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 5140 or 5145
ShareName|contains: 'wwwroot$'
filter:
SubjectUserName:
- 'IUSR'
- 'IIS_IUSRS'
- 'SYSTEM'
- 'NETWORK SERVICE'
condition: selection and not filter
falsepositives:
- Legitimate IIS administration
level: high
---
title: OP-512 C2 Infrastructure Communication
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
description: Detects potential communication with known OP-512 C2 infrastructure
status: experimental
author: Security Arsenal
date: 2026/07/05
references:
- https://reliaquest.com/blog/threat-spotlight-reliaquests-agentic-ai-uncovers-new-china-linked-cluster-op-512
tags:
- attack.command_and_control
- attack.t1071.004
logsource:
category: network_connection
detection:
selection:
DestinationIp|contains:
- '43.160.202.246'
- '124.156.129.151'
- '140.206.161.227'
DestinationPort:
- 8053
- 443
condition: selection
falsepositives:
- Unknown
level: critical
---
title: UNC3753 Initial Access via Remote Support Tools
id: c3d4e5f6-7890-12ab-cdef-3456789012cd
description: Detects potential initial access by UNC3753 through remote support tools
status: experimental
author: Security Arsenal
date: 2026/07/05
references:
- https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- '\msra.exe'
- '\TeamViewer.exe'
- '\AnyDesk.exe'
- '\ScreenConnect.exe'
ParentImage|endswith:
- '\explorer.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
condition: selection
falsepositives:
- Legitimate remote support activities
level: medium
KQL Queries
// Hunt for connections to OP-512 C2 infrastructure
DeviceNetworkEvents
| where RemoteIP in ("43.160.202.246", "124.156.129.151", "140.206.161.227")
| or RemoteUrl in ("http://140.206.161.227:443", "http://43.160.202.246:8053")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort
| order by Timestamp desc
// Hunt for connections to UNC3753 domains
DeviceNetworkEvents
| where RemoteUrl in~ ("hcgos.com", "business-data-leaks.com", "lockbit.black", "itdesk.com")
| or RemoteDnsDomain in~ ("hcgos.com", "business-data-leaks.com", "lockbit.black", "itdesk.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteDnsDomain
| order by Timestamp desc
// Hunt for potential OP-512 web shell activity
SecurityEvent
| where EventID in (5140, 5145)
| where ShareName contains "wwwroot$"
| where SubjectUserName !in ("IUSR", "IIS_IUSRS", "SYSTEM", "NETWORK SERVICE")
| project Timestamp, Computer, SubjectUserName, ShareName, AccessMask
| order by Timestamp desc
// Hunt for UNC3753 malware execution
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("msra.exe", "TeamViewer.exe", "AnyDesk.exe", "ScreenConnect.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "mshta.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine
| order by Timestamp desc
PowerShell IOC Hunt Script
# OP-512 & UNC3753 IOC Hunt Script
# Checks for network connections to known threat infrastructure
# Import necessary modules
Import-Module NetAdapter
# Check for connections to OP-512 C2 infrastructure
Write-Host "Checking for connections to OP-512 C2 infrastructure..."
$OP512_IPs = @("43.160.202.246", "124.156.129.151", "140.206.161.227")
$OP512_URLs = @("http://140.206.161.227:443", "http://43.160.202.246:8053")
$OP512_Domains = @("hcgos.com", "ashx.lhlsjcb.com")
# Check network connections
$networkConnections = Get-NetTCPConnection -State Established | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess
foreach ($connection in $networkConnections) {
if ($OP512_IPs -contains $connection.RemoteAddress) {
$process = Get-Process -Id $connection.OwningProcess -ErrorAction SilentlyContinue
Write-Host "ALERT: Connection to OP-512 IP $($connection.RemoteAddress):$($connection.RemotePort) detected!" -ForegroundColor Red
Write-Host "Process: $($process.ProcessName) (PID: $($connection.OwningProcess))" -ForegroundColor Yellow
}
}
# Check UNC3753 domains
$UNC3753_Domains = @("business-data-leaks.com", "lockbit.black", "itdesk.com")
# Check DNS cache
Write-Host "`nChecking DNS cache for threat domains..."
$dnsCache = Get-DnsClientCache | Where-Object {$_.Entry -in ($OP512_Domains + $UNC3753_Domains)}
foreach ($entry in $dnsCache) {
Write-Host "ALERT: DNS entry for $($entry.Entry) found!" -ForegroundColor Red
Write-Host "Data: $($entry.Data)" -ForegroundColor Yellow
}
# Check browser history (requires admin privileges)
Write-Host "`nChecking browser history for threat URLs..."
$chromeHistoryPath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\History"
if (Test-Path $chromeHistoryPath) {
Copy-Item $chromeHistoryPath "$env:TEMP\chrome_history_temp" -Force
$chromeHistory = Import-Csv "$env:TEMP\chrome_history_temp" -Delimiter "`0" -Header url, title, visit_count, typed_count, last_visit_time, last_visit_time_after_1970
foreach ($entry in $chromeHistory) {
foreach ($url in ($OP512_URLs + $OP512_Domains + $UNC3753_Domains)) {
if ($entry.url -like "*$url*") {
Write-Host "ALERT: Browser history contains entry for $url!" -ForegroundColor Red
Write-Host "URL: $($entry.url)" -ForegroundColor Yellow
}
}
}
Remove-Item "$env:TEMP\chrome_history_temp" -Force
}
# Check for web shell characteristics on IIS servers
if (Get-Service W3SVC -ErrorAction SilentlyContinue) {
Write-Host "`nSystem appears to be an IIS server. Checking for potential web shells..."
$webRoots = @("C:\inetpub\wwwroot", "C:\inetpub\wwwroot\*", "D:\inetpub\wwwroot", "E:\inetpub\wwwroot")
foreach ($path in $webRoots) {
if (Test-Path $path) {
$recentFiles = Get-ChildItem $path -Recurse -File | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-30)}
foreach ($file in $recentFiles) {
# Check for suspicious ASP.NET files
if ($file.Extension -in @(".aspx", ".asmx", ".ashx", ".asp")) {
$content = Get-Content $file.FullName -Raw -ErrorAction SilentlyContinue
if ($content) {
# Check for suspicious content patterns
$suspiciousPatterns = @("System.Diagnostics.Process.Start", "Runtime.getRuntime().exec", "eval(", "base64_decode", "Shell.Application")
foreach ($pattern in $suspiciousPatterns) {
if ($content -match $pattern) {
Write-Host "ALERT: Suspicious content pattern '$pattern' found in $($file.FullName)" -ForegroundColor Red
Write-Host "Last modified: $($file.LastWriteTime)" -ForegroundColor Yellow
}
}
}
}
}
}
}
}
# Check for BadPotato/SweetPotato/EfsPotato indicators
Write-Host "`nChecking for privilege escalation tool indicators..."
$potatoIndicators = @("C:\Windows\Temp\BadPotato.exe", "C:\Windows\Temp\SweetPotato.exe", "C:\Windows\Temp\EfsPotato.exe")
foreach ($indicator in $potatoIndicators) {
if (Test-Path $indicator) {
Write-Host "ALERT: Potential privilege escalation tool found at $indicator" -ForegroundColor Red
}
}
Write-Host "`nIOC hunt complete. Review alerts and take appropriate action."
Response Priorities
Immediate
- Block all IOCs at perimeter devices (firewall, proxy, DNS)
- Hunt for any existing connections to OP-512 IPs/URLs and UNC3753 domains
- Search IIS server logs for web shell activity indicators
- Check for recent deployment of remote support tools outside IT control
- Implement network segmentation to limit lateral movement
24h
- Verify identities of users who may have been compromised by UNC3753 social engineering
- Conduct credential audits and password resets for potentially affected accounts
- Review and reset privileged account credentials
- Implement enhanced monitoring for suspicious credential usage
- Deploy additional EDR controls on IIS servers and workstations
1 week
- Harden IIS server configurations to limit web shell deployment opportunities
- Implement application whitelisting on IIS servers
- Conduct security awareness training focused on social engineering and voice phishing
- Implement multi-factor authentication for all remote access solutions
- Review and improve incident response playbooks for web shell and ransomware incidents
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.