China-Linked Cyber Espionage:
How OP-512 Exploited Legacy IIS Servers and Evaded Detection

Your team built defenses around known China-linked clusters. The file hashes are tracked. The behavioral patterns are documented. What those weren't built to catch is a new cluster that studied those exact defenses and engineered around them. A China-linked attacker compromised an internet-facing IIS server, maintained access for over 75 days, and came back on fresh infrastructure.

With four China-linked clusters converging on the same legacy IIS stack in twelve months, defenders building detection programs around yesterday's cluster are already behind the next one.

Join hosts Alex and John as they discuss:

• How OP-512 engineered its tooling to evade defenses
• Why killing a malicious process is incomplete
• What advantage cross-source correlation provides

Two questions your organization should be asking right now:

• When your detection sources each generate a separate low-confidence signal from the same host, does anything in your current workflow correlate those signals automatically?

• Do you have internet-facing IIS servers running end-of-life .NET in your environment, and does your vulnerability-management workflow prioritize correctly?

Alexandra Moore: Manager of Threat Intelligence at ReliaQuest, where she leads intelligence analysis and customer dissemination to help organizations understand and respond to emerging cyber threats. Prior to this, she established and scaled monitoring across Russian-language cybercriminal platforms at Digital Shadows, building collection and analytical coverage to support digital risk protection capabilities.

John Dilgen: Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.