216.73.216.133

IIS servers owned by RudePanda like it's 2003

· Published 22/10/2025 19:02 · Modified 22/10/2025 20:20

Export JSON

Essential information

Published
22/10/2025 19:02
Modified
22/10/2025 20:20
Tags
2025-10-22 asp .net cryptocurrency hijackdrivermanager hijackserver iis remote command execution rootkit seo wingtbcli
Related entities
36 observables, 1 intrusion sets (apt), 16 techniques (mitre), 3 malware

Description

A new malicious module called '' has been detected compromising servers by exploiting exposed machine keys. The attackers use a customized and ready-made tools to gain persistent access. While primarily aimed at search engine optimization for scams, the module allows unauthenticated on affected servers. Hundreds of servers worldwide have been compromised. The operation shows determination and capability, though possibly relying on low-skilled operators. The threat leaves servers vulnerable to exploitation by any third party for espionage or malicious infrastructure development.

External references