216.73.217.80

Q1 2026 malware statistics report for Windows web servers

· Published 14/04/2026 10:53 · Modified 14/04/2026 09:20

Export JSON

Essential information

Published
14/04/2026 10:53
Modified
14/04/2026 09:20
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
apache tomcat badpotato coinminer cve-2019-1458 htran iis jsprat juicypotato port forwarding porttranc printspoofer privilege escalation rdp compromise web shell windows web servers
Tags
2026-04-14 CVE-2019-1458 apache tomcat badpotato coinminer htran iis jsprat juicypotato port forwarding porttranc printspoofer privilege-escalation rdp compromise web shell windows web servers
Related entities
1 vulnerabilities (cve), 1 indicators, 1 observables, 1 intrusion sets (apt), 15 techniques (mitre), 6 malware

Description

Analysis of Windows web server attacks during Q1 2026 reveals that Internet Information Services () and servers face persistent threats through exploitation. The Larva-26001 threat actor has been targeting domestic servers for several years, deploying tools including , , and exploiting . Following , attackers utilize port-forwarding tools like and to redirect traffic to RDP port 3389, enabling remote control of compromised systems. Attack vectors include file upload vulnerabilities, Web Framework-WAS vulnerabilities, and unpatched RCE services. Additional malicious activities involve deployment of backdoors, CoinMiners, and proxy tools for internal network compromise.

External references