Q1 2026 malware statistics report for Windows web servers

April 14, 2026, 9:20 a.m.

Description

Analysis of Windows web server attacks during Q1 2026 reveals that Internet Information Services (IIS) and Apache Tomcat servers face persistent threats through web shell exploitation. The Larva-26001 threat actor has been targeting domestic IIS servers for several years, deploying privilege escalation tools including JuicyPotato, BadPotato, and exploiting CVE-2019-1458. Following privilege escalation, attackers utilize port-forwarding tools like HTran and PortTranC to redirect traffic to RDP port 3389, enabling remote control of compromised systems. Attack vectors include file upload vulnerabilities, Web Framework-WAS vulnerabilities, and unpatched RCE services. Additional malicious activities involve deployment of backdoors, CoinMiners, and proxy tools for internal network compromise.

External References

https://asec.ahnlab.com/en/93335/
https://otx.alienvault.com/pulse/69de008da466f2dc89165990
Tags
coinminer
privilege escalation
badpotato
web shell
iis
apache tomcat
juicypotato
2026-04-14
CVE-2019-1458
htran
jsprat
port forwarding
porttranc
printspoofer
rdp compromise
windows web servers

Date

  • Created: April 14, 2026, 8:53 a.m.
  • Published: April 14, 2026, 8:53 a.m.
  • Modified: April 14, 2026, 9:20 a.m.

Indicators

  • aa0db29e00c33ba522540485b545ca0da7d2a7e8186f54a8a4dabd9438884c1d
Download all indicators here!

Attack Patterns

  • JuicyPotato
  • HTran
  • PortTranC
  • Jsprat
  • PrintSpoofer
  • BadPotato
  • Larva-26001

Linked vulnerabilities

CVE-2019-1458

None
Published: