Q1 2026 malware statistics report for Windows web servers
Essential information
- Published
- 14/04/2026 10:53
- Modified
- 14/04/2026 09:20
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- apache tomcat badpotato coinminer cve-2019-1458 htran iis jsprat juicypotato port forwarding porttranc printspoofer privilege escalation rdp compromise web shell windows web servers
- Tags
- 2026-04-14 CVE-2019-1458 apache tomcat badpotato coinminer htran iis jsprat juicypotato port forwarding porttranc printspoofer privilege-escalation rdp compromise web shell windows web servers
- Related entities
- 1 vulnerabilities (cve), 1 indicators, 1 observables, 1 intrusion sets (apt), 15 techniques (mitre), 6 malware
Description
Analysis of Windows web server attacks during Q1 2026 reveals that Internet Information Services (IIS) and Apache Tomcat servers face persistent threats through web shell exploitation. The Larva-26001 threat actor has been targeting domestic IIS servers for several years, deploying privilege escalation tools including JuicyPotato, BadPotato, and exploiting CVE-2019-1458. Following privilege escalation, attackers utilize port-forwarding tools like HTran and PortTranC to redirect traffic to RDP port 3389, enabling remote control of compromised systems. Attack vectors include file upload vulnerabilities, Web Framework-WAS vulnerabilities, and unpatched RCE services. Additional malicious activities involve deployment of backdoors, CoinMiners, and proxy tools for internal network compromise.