A sophisticated cyberattack campaign is targeting Microsoft Internet Information Services (IIS) servers, exploiting a weakness rooted in decades old security mistakes to deploy malicious modules. This operation enables both remote command execution (RCE) and large scale search engine optimization (SEO) fraud.
Exploiting 2003 Secrets for RCE
The attack, which began to surface in late August and early September 2025, compromises servers worldwide by leveraging publicly exposed ASP.NET machine keys. These cryptographic secrets, which are crucial for viewstate deserialization, were originally published in a Microsoft Developer Network help page back in 2003 as configuration examples. Countless administrators inadvertently copied and implemented these keys verbatim in live production environments, creating a massive pool of vulnerable targets.
With these exposed keys, attackers can manipulate the viewstate data to execute arbitrary code on targeted servers without needing any additional credentials. The campaign has affected approximately 240 server IP addresses and 280 domain names across diverse sectors, including government agencies, small businesses, and e commerce platforms.
The HijackServer Module
HarfangLab analysts identified the primary malicious module, dubbed HijackServer, during routine security monitoring. The infection chain is highly sophisticated. After initial exploitation via POST requests targeting vulnerable ASP.NET applications, attackers deploy a comprehensive toolkit archived as sys-tw-v1.6.1-clean-log.zip. This kit contains 32 bit and 64 bit variants of the malicious IIS modules, installation scripts, and a custom rootkit.
Following initial access, the threat actors use privilege escalation techniques known as EfsPotato and DeadPotato to create hidden local administrator accounts. They then install two malicious DLL files, scripts.dll and caches.dll, as IIS modules. These modules are configured to intercept HTTP requests at the earliest processing stage, before legitimate applications can respond.
Rootkit Deployment and Evasion
The attackers demonstrated advanced operational security by deploying a customized Windows kernel driver rootkit. This driver, a modified version of the open-source Hidden rootkit, operates as a signed kernel component using an expired certificate. Despite the certificate’s 2014 expiration, Microsoft’s policy exceptions allow it to load on modern Windows systems, enabling the rootkit to conceal files, registry keys, and processes.
In a contradictory but sweeping anti forensics measure, the post installation script systematically deletes all Windows Event log files using the command wevtutil cl "%%1", making forensic analysis significantly harder.
Primary Goal: SEO Fraud
The main objective of the HijackServer module is search engine optimization fraud for dubious cryptocurrency investment schemes. When Google’s web crawler requests pages from compromised servers, the module dynamically generates HTML content containing numerous links to these crypto websites. This effectively poisons legitimate Google search results.
However, the module also exposes an unauthenticated RCE backdoor through the /scjg URL path. This functionality creates a persistent and easily exploitable backdoor, transforming the financially motivated SEO fraud into a much more serious security compromise with potential long term espionage implications.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
