IIS servers owned by RudePanda like it's 2003

A new malicious IIS module called 'HijackServer' has been detected compromising IIS servers by exploiting exposed ASP .NET machine keys. The attackers use a customized rootkit and ready-made tools to gain persistent access. While primarily aimed at search engine optimization for cryptocurrency scams, the module allows unauthenticated remote command execution on affected servers. Hundreds of servers worldwide have been compromised. The operation shows determination and capability, though possibly relying on low-skilled operators. The threat leaves servers vulnerable to exploitation by any third party for espionage or malicious infrastructure development.

Pulse ID: 68f92a4430a24cc42a46608c
Pulse Link: https://otx.alienvault.com/pulse/68f92a4430a24cc42a46608c
Pulse Author: AlienVault
Created: 2025-10-22 19:02:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Espionage #InfoSec #Mac #NET #OTX #OpenThreatExchange #RAT #RemoteCommandExecution #Rootkit #bot #cryptocurrency #AlienVault