IIS servers owned by RudePanda like it's 2003

Oct. 22, 2025, 8:20 p.m.

Description

A new malicious IIS module called 'HijackServer' has been detected compromising IIS servers by exploiting exposed ASP .NET machine keys. The attackers use a customized rootkit and ready-made tools to gain persistent access. While primarily aimed at search engine optimization for cryptocurrency scams, the module allows unauthenticated remote command execution on affected servers. Hundreds of servers worldwide have been compromised. The operation shows determination and capability, though possibly relying on low-skilled operators. The threat leaves servers vulnerable to exploitation by any third party for espionage or malicious infrastructure development.

External References

https://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003
https://otx.alienvault.com/pulse/68f92a4430a24cc42a46608c
Tags
rootkit
cryptocurrency
iis
seo
2025-10-22
remote command execution
wingtbcli
hijackserver
asp .net
hijackdrivermanager

Date

  • Created: Oct. 22, 2025, 7:02 p.m.
  • Published: Oct. 22, 2025, 7:02 p.m.
  • Modified: Oct. 22, 2025, 8:20 p.m.

Indicators

  • fc16cb7949b0eb8f3ffa329bef753ee21440638c1ec0218c1e815ba49d7646bb
  • ed2c4429cf27e19aa6881d86bc5b42c21470525564fc53be688b9b26c83db766
  • e6a9bf90accf17355a1f779d480a38838b2bbb2877cde095c7c139e041c50d71
  • f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1
  • e3bfd9aca49726556f6279aad2ab54ca9c1f0df22bcad27aa7e1ba3234f8eaff
  • c348996e27fc14e3dce8a2a476d22e52c6b97bf24dd9ed165890caf88154edd2
  • e107bf25abc1cff515b816a5d75530ed4d351fa889078e547d7381b475fe2850
  • c1ca053e3c346513bac332b5740848ed9c496895201abc734f2de131ec1b9fb2
  • af05f1b780a14583887857cb87d697d985ce172abb1d57e4108cac5e5aaca136
  • bd2de6ca6c561cec1c1c525e7853f6f73bf6f2406198cd104ecb2ad00859f7d3
  • a96e1643dedd472e5712282904110ee948592fab722dc87d8f1e7658d3d8449d
  • 915441b7d7ddb7d885ecfe75b11eed512079b49875fc288cd65b023ce1e05964
  • a8498295ec3557f1bf680a432acf415abf108405063f44d78974a4f27c27dd20
  • 913431f1d36ee843886bb052bfc89c0e5db903c673b5e6894c49aabc19f1e2fc
  • 88fd3c428493d5f7d47a468df985c5010c02d71c647ff5474214a8f03d213268
  • 8ed76396e11d1c268b6a80def8b57abacf4ea1ac059838bd858c8587c26b849c
  • 83620389548516c74b40f9067ca20b7cc641a243c419d76ab2da87f8fd38e81c
  • 82a1f8abffbd469e231eec5e0ac7e01eb6a83cbeb7e09eb8629bc5cc8ef12899
  • 82b7f077021df9dc2cf1db802ed48e0dec8f6fa39a34e3f2ade2f0b63a1b5788
  • 7cc8b4206e87788b8403500f37bb8b5cfb71d3c26d49365ccc9c36b688c7428a
  • 7260f09e95353781f2bebf722a2f83c500145c17cf145d7bda0e4f83aafd4d20
  • 7a10207a430234b448f692a534cea16d400858c5fdda014c786fbf97127dce88
  • 665234a6627269ba0b3816a6a29ede4fc72d36f34978f5ba1410e63d968d3d62
  • 64d0a4703ec976b0e0db4e193b9ccdf4ef6f34d24c32274579ee028a67bfa3a9
  • 5113d2da6cd9f4a4a9123a3547b01250659dcc349c36159ee11b93805ce51105
  • 4e24349b61c5af60a5e7f543c86963087ca6d6078378f83c8fe55b36dc6331f4
  • 4c6703c7435759dbe0c889474a5fae4ca86e491ca45887a0dae3fcd4649e79c5
  • 13ebf6422fe07392c886c960fafb90ef1ba3561f00eedb121a136e7f6c29c9ee
  • 0d07b8485145e0ea6789570b9ab476d8e1604110a9c45c9c753ef7bc5edfd539
  • wseo88.com
  • wseo99.com
  • lseo99.com
  • jseo99.com
  • fseo88.com
  • cseo88.com
  • aseo88.com
Download all indicators here!

Attack Patterns

  • WingtbCLI
  • HijackDriverManager
  • HijackServer
  • RudePanda