Aman Mishra
2025-03-17 13:54:00
gbhackers.com
A recent discovery by Palo Alto Networks’ Unit 42 has shed light on sophisticated malware targeting Internet Information Services (IIS) servers.
This malware, developed in C++/CLI, a rare choice for malware authors, has been designed to mimic the behavior of cmd.exe to evade detection.
The malware operates as a passive backdoor, integrating itself into the IIS server by registering for HTTP response events.
It filters incoming HTTP requests for specific headers, which are used to execute commands.
The commands and data are encrypted using AES and then Base64-encoded, adding a layer of complexity to its operations.
Technical Analysis
The malware has two versions, both of which were uploaded to VirusTotal from Thailand.
The newer version, compiled on May 9, 2023, employs a custom cmd.exe wrapper tool to execute commands, reducing the visibility of its activities by avoiding direct cmd.exe invocation from the IIS process.


This wrapper application is embedded within the malware and communicates via a named pipe, allowing it to redirect command-line commands from the command and control (C2) server and return results.
The malware supports a range of commands, including file management, process execution, and system information retrieval.
According to the Report, it also patches AMSI and ETW routines to evade detection by security software.
The use of C++/CLI for this malware is notable due to its rarity in the malware landscape.
This choice likely stems from the language’s ability to combine managed and unmanaged code, making analysis more challenging.
The malware’s sophistication and targeted nature suggest it may have been used in specific attacks, although attribution to a known threat actor remains elusive.
Detection and Protection
Palo Alto Networks’ Advanced WildFire and Cortex XDR/XSIAM solutions offer enhanced protection against this malware by leveraging memory analysis and behavioral threat protection.
These tools can identify and block both known and unknown malware, providing a robust defense mechanism against such sophisticated threats.
As the cybersecurity landscape continues to evolve, staying informed about emerging threats and employing advanced security solutions is crucial for organizations seeking to protect their infrastructure.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.
Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!
Help Power Techcratic’s Future – Scan To Support
If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.
As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!
BITCOIN bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge Scan the QR code with your crypto wallet app |
DOGECOIN D64GwvvYQxFXYyan3oQCrmWfidf6T3JpBA Scan the QR code with your crypto wallet app |
ETHEREUM 0xe9BC980DF3d985730dA827996B43E4A62CCBAA7a Scan the QR code with your crypto wallet app |
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.