{
  "name": "IIS servers owned by RudePanda like it's 2003",
  "slug": "iis-servers-owned-by-rudepanda-like-its-2003",
  "description": "A new malicious IIS module called 'HijackServer' has been detected compromising IIS servers by exploiting exposed ASP .NET machine keys. The attackers use a customized rootkit and ready-made tools to gain persistent access. While primarily aimed at search engine optimization for cryptocurrency scams, the module allows unauthenticated remote command execution on affected servers. Hundreds of servers worldwide have been compromised. The operation shows determination and capability, though possibly relying on low-skilled operators. The threat leaves servers vulnerable to exploitation by any third party for espionage or malicious infrastructure development.",
  "published": "2025-10-22T17:02:28+00:00",
  "created_at": "2025-10-22T17:02:28+00:00",
  "modified_at": "2025-10-22T18:20:35+00:00",
  "created_at_opencti": "2025-10-22T17:02:28+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-10-22",
    "asp .net",
    "cryptocurrency",
    "hijackdrivermanager",
    "hijackserver",
    "iis",
    "remote command execution",
    "rootkit",
    "seo",
    "wingtbcli"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "wseo88.com"
      },
      {
        "id": "",
        "name": "wseo99.com"
      },
      {
        "id": "",
        "name": "lseo99.com"
      },
      {
        "id": "",
        "name": "jseo99.com"
      },
      {
        "id": "",
        "name": "fseo88.com"
      },
      {
        "id": "",
        "name": "cseo88.com"
      },
      {
        "id": "",
        "name": "aseo88.com"
      },
      {
        "id": "",
        "name": "fc16cb7949b0eb8f3ffa329bef753ee21440638c1ec0218c1e815ba49d7646bb"
      },
      {
        "id": "",
        "name": "ed2c4429cf27e19aa6881d86bc5b42c21470525564fc53be688b9b26c83db766"
      },
      {
        "id": "",
        "name": "e6a9bf90accf17355a1f779d480a38838b2bbb2877cde095c7c139e041c50d71"
      },
      {
        "id": "",
        "name": "f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1"
      },
      {
        "id": "",
        "name": "e3bfd9aca49726556f6279aad2ab54ca9c1f0df22bcad27aa7e1ba3234f8eaff"
      },
      {
        "id": "",
        "name": "c348996e27fc14e3dce8a2a476d22e52c6b97bf24dd9ed165890caf88154edd2"
      },
      {
        "id": "",
        "name": "e107bf25abc1cff515b816a5d75530ed4d351fa889078e547d7381b475fe2850"
      },
      {
        "id": "",
        "name": "c1ca053e3c346513bac332b5740848ed9c496895201abc734f2de131ec1b9fb2"
      },
      {
        "id": "",
        "name": "af05f1b780a14583887857cb87d697d985ce172abb1d57e4108cac5e5aaca136"
      },
      {
        "id": "",
        "name": "bd2de6ca6c561cec1c1c525e7853f6f73bf6f2406198cd104ecb2ad00859f7d3"
      },
      {
        "id": "",
        "name": "a96e1643dedd472e5712282904110ee948592fab722dc87d8f1e7658d3d8449d"
      },
      {
        "id": "",
        "name": "915441b7d7ddb7d885ecfe75b11eed512079b49875fc288cd65b023ce1e05964"
      },
      {
        "id": "",
        "name": "a8498295ec3557f1bf680a432acf415abf108405063f44d78974a4f27c27dd20"
      },
      {
        "id": "",
        "name": "913431f1d36ee843886bb052bfc89c0e5db903c673b5e6894c49aabc19f1e2fc"
      },
      {
        "id": "",
        "name": "88fd3c428493d5f7d47a468df985c5010c02d71c647ff5474214a8f03d213268"
      },
      {
        "id": "",
        "name": "8ed76396e11d1c268b6a80def8b57abacf4ea1ac059838bd858c8587c26b849c"
      },
      {
        "id": "",
        "name": "83620389548516c74b40f9067ca20b7cc641a243c419d76ab2da87f8fd38e81c"
      },
      {
        "id": "",
        "name": "82a1f8abffbd469e231eec5e0ac7e01eb6a83cbeb7e09eb8629bc5cc8ef12899"
      },
      {
        "id": "",
        "name": "82b7f077021df9dc2cf1db802ed48e0dec8f6fa39a34e3f2ade2f0b63a1b5788"
      },
      {
        "id": "",
        "name": "7cc8b4206e87788b8403500f37bb8b5cfb71d3c26d49365ccc9c36b688c7428a"
      },
      {
        "id": "",
        "name": "7260f09e95353781f2bebf722a2f83c500145c17cf145d7bda0e4f83aafd4d20"
      },
      {
        "id": "",
        "name": "7a10207a430234b448f692a534cea16d400858c5fdda014c786fbf97127dce88"
      },
      {
        "id": "",
        "name": "665234a6627269ba0b3816a6a29ede4fc72d36f34978f5ba1410e63d968d3d62"
      },
      {
        "id": "",
        "name": "64d0a4703ec976b0e0db4e193b9ccdf4ef6f34d24c32274579ee028a67bfa3a9"
      },
      {
        "id": "",
        "name": "5113d2da6cd9f4a4a9123a3547b01250659dcc349c36159ee11b93805ce51105"
      },
      {
        "id": "",
        "name": "4e24349b61c5af60a5e7f543c86963087ca6d6078378f83c8fe55b36dc6331f4"
      },
      {
        "id": "",
        "name": "4c6703c7435759dbe0c889474a5fae4ca86e491ca45887a0dae3fcd4649e79c5"
      },
      {
        "id": "",
        "name": "13ebf6422fe07392c886c960fafb90ef1ba3561f00eedb121a136e7f6c29c9ee"
      },
      {
        "id": "",
        "name": "0d07b8485145e0ea6789570b9ab476d8e1604110a9c45c9c753ef7bc5edfd539"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:78a9be1f7a7ea60f",
        "name": "WingtbCLI",
        "slug": "wingtbcli"
      },
      {
        "id": "legacy:malware:e855356c29259662",
        "name": "HijackDriverManager",
        "slug": "hijackdrivermanager"
      },
      {
        "id": "legacy:malware:cc7c37f14b97c0e3",
        "name": "HijackServer",
        "slug": "hijackserver"
      }
    ],
    "intrusion_sets": [
      {
        "id": "d401b73f-f59a-4d8a-b300-8f09cad0ef12",
        "name": "RudePanda",
        "slug": "rudepanda"
      }
    ],
    "attack_patterns": [
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "b15c00da-c412-4429-900c-659de612baf5",
        "name": "T1543.003"
      },
      {
        "id": "e7d42089-23ed-495f-a2bc-c942c4e56fb7",
        "name": "T1573.002"
      },
      {
        "id": "81b422de-709e-43bd-b471-2befac0c623a",
        "name": "T1218.011"
      },
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664",
        "name": "T1068"
      }
    ]
  },
  "external_refs": [
    "https://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003",
    "https://otx.alienvault.com/pulse/68f92a4430a24cc42a46608c"
  ]
}