{
  "name": "Q1 2026 malware statistics report for Windows web servers",
  "slug": "q1-2026-malware-statistics-report-for-windows-web-servers",
  "description": "Analysis of Windows web server attacks during Q1 2026 reveals that Internet Information Services (IIS) and Apache Tomcat servers face persistent threats through web shell exploitation. The Larva-26001 threat actor has been targeting domestic IIS servers for several years, deploying privilege escalation tools including JuicyPotato, BadPotato, and exploiting CVE-2019-1458. Following privilege escalation, attackers utilize port-forwarding tools like HTran and PortTranC to redirect traffic to RDP port 3389, enabling remote control of compromised systems. Attack vectors include file upload vulnerabilities, Web Framework-WAS vulnerabilities, and unpatched RCE services. Additional malicious activities involve deployment of backdoors, CoinMiners, and proxy tools for internal network compromise.",
  "published": "2026-04-14T08:53:33.691000+00:00",
  "created_at": "2026-04-14T09:20:25.839000+00:00",
  "modified_at": "2026-04-14T07:20:25+00:00",
  "created_at_opencti": "2026-04-14T09:20:25.839000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "apache tomcat",
    "badpotato",
    "coinminer",
    "cve-2019-1458",
    "htran",
    "iis",
    "jsprat",
    "juicypotato",
    "port forwarding",
    "porttranc",
    "printspoofer",
    "privilege escalation",
    "rdp compromise",
    "web shell",
    "windows web servers"
  ],
  "tags": [
    "2026-04-14",
    "CVE-2019-1458",
    "apache tomcat",
    "badpotato",
    "coinminer",
    "htran",
    "iis",
    "jsprat",
    "juicypotato",
    "port forwarding",
    "porttranc",
    "printspoofer",
    "privilege-escalation",
    "rdp compromise",
    "web shell",
    "windows web servers"
  ],
  "related_entities": {
    "vulnerabilities": [
      {
        "id": "54da954d-5ec3-4da4-b924-0e50fde02c87",
        "name": "CVE-2019-1458"
      }
    ],
    "indicators": [
      {
        "id": "e7390e22-a7f3-4e01-94b2-3535953aefd3",
        "name": "aa0db29e00c33ba522540485b545ca0da7d2a7e8186f54a8a4dabd9438884c1d"
      }
    ],
    "intrusion_sets": [
      {
        "id": "bc626fac-ffa5-4722-846f-2caad11d7dfa",
        "name": "Larva-26001",
        "slug": "larva-26001"
      }
    ],
    "attack_patterns": [
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "1f2ce0cc-430c-4317-a332-83a27cbad1d3",
        "name": "T1548"
      },
      {
        "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee",
        "name": "T1571"
      },
      {
        "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3",
        "name": "T1090"
      },
      {
        "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664",
        "name": "T1068"
      },
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7",
        "name": "T1018"
      },
      {
        "id": "a2ba5594-6293-4868-928c-ab4b31927a02",
        "name": "T1572"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "53c193a7-f726-4bd2-ae88-4019e2604adf",
        "name": "T1046"
      },
      {
        "id": "19ce62bb-3faf-4d09-90b1-d82fce1ba8b0",
        "name": "T1136"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "195d9773-4de3-4f61-b94d-a2b53cb65608",
        "name": "T1021.001"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "malware": [
      {
        "id": "4d63517d-a89b-49ca-a7e1-436534107d42",
        "name": "JuicyPotato",
        "slug": "juicypotato"
      },
      {
        "id": "ef9eefb0-f0d8-4d42-aeb1-af38dc2437ba",
        "name": "HTran",
        "slug": "htran"
      },
      {
        "id": "9b845cbe-8edb-46b8-85eb-00ff078c19c4",
        "name": "PortTranC",
        "slug": "porttranc"
      },
      {
        "id": "bf7ac99f-3115-413b-a4a8-e9cf0a7551a1",
        "name": "Jsprat",
        "slug": "jsprat"
      },
      {
        "id": "fd062c6a-2a7e-45d1-aced-a79e1a883aec",
        "name": "PrintSpoofer",
        "slug": "printspoofer"
      },
      {
        "id": "7637bc58-ea97-4018-8bdd-a5eb46308d2b",
        "name": "BadPotato",
        "slug": "badpotato"
      }
    ],
    "observables": [
      {
        "id": "",
        "name": "aa0db29e00c33ba522540485b545ca0da7d2a7e8186f54a8a4dabd9438884c1d"
      }
    ]
  },
  "external_refs": [
    {
      "id": "8a642d63-d304-4232-9125-ba0e3e75410c",
      "standard_id": "external-reference--03f6cf53-ffce-518b-9dff-01046a6d8fde",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://asec.ahnlab.com/en/93335/",
      "hash": null,
      "external_id": null,
      "created": "2026-04-14T09:20:24.523Z",
      "modified": "2026-04-14T09:20:24.523Z",
      "createdById": null
    },
    {
      "id": "21d0210f-d828-4e38-96d1-4ecc37b3ac2a",
      "standard_id": "external-reference--8ec48394-88e5-5e3e-98a5-686128204827",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/69de008da466f2dc89165990",
      "hash": null,
      "external_id": "69de008da466f2dc89165990",
      "created": "2026-04-14T09:20:24.495Z",
      "modified": "2026-04-14T09:20:24.495Z",
      "createdById": null
    }
  ]
}