Chinese-Speaking Threat Actor Targets IIS Servers with TOLLBOOTH

Researchers from Elastic Security Labs and Texas A&M University System Cybersecurity uncovered a widespread campaign by a Chinese-speaking threat actor exploiting misconfigured Microsoft IIS servers. The attackers deployed a malicious IIS module called TOLLBOOTH, a modified Hidden rootkit, and a Godzilla-forked webshell framework to maintain persistence and hide operations. The campaign, designated REF3927, involved deserialization attacks against ASP.NET machine keys and affected 571 servers across various industries.

Latest mentioned: 10-23

Earliest mentioned: 10-20

Sources

gbhackers.com securityonline.info thehackernews.com cybersum.net

Also Read

PhantomCaptcha Cyberattack Targets Humanitarian Groups

A highly coordinated cyberattack, codenamed PhantomCaptcha, targeted major humanitarian and government groups supporting war relief efforts. The attack, which lasted only 24 hours, involved fake emails and a tricky captcha trap to deploy a remote access trojan. Researchers noted similarities with the COLDRIVER threat group, known for sophisticated operations. The attackers spent six months preparing, indicating a high level of planning and evasion techniques.

10-23Read more →