NET-STAR Backdoor Exploits IIS Modules for Persistent Access
Threat Group – Phantom Taurus (China-linked APT)
Threat Type – In-process web server backdoor for IIS (.NET managed and native module tradecraft)
Exploited Vulnerabilities – ViewState abuse via compromised ASP.NET machineKey, insecure file write to application bin directory, misconfigured IIS extensibility, weak CI/CD controls, stolen deployment credentials (no CVEs assigned at time of writing)
Malware Used – NET-STAR (designation) with behaviors consistent with modern IIS implants
Threat Score – 6.6 🟠 Elevated — Provisional. Elevated due to credible overlap with current IIS in-process backdoor tradecraft
Last Threat Observation – 1 October 2025
Overview
NET-STAR is a modular .NET malware suite developed by the Phantom Taurus APT, a China-linked espionage group targeting government and enterprise infrastructure worldwide. NET-STAR executes inside IIS worker processes (w3wp.exe), allowing it to intercept HTTP requests, exfiltrate credentials, and persist stealthily as a trusted module.
Its toolkit includes:
- IIServerCore – modular IIS backdoor with encrypted C2 and timestomping.
- AssemblyExecuter V1 – loader executing .NET payloads directly in memory.
- AssemblyExecuter V2 – improved loader with AMSI bypass and ETW suppression.
This design makes NET-STAR a high-risk backdoor, capable of covert persistence, long-term espionage, and bypassing many traditional defenses.
Threat Overview and Contextual Analysis
Why in-process IIS backdoors matter
| Property | What it means in IIS | Operational risk |
|---|---|---|
| High-privilege context | Inherits Application Pool Identity; broad read/execute over app code and configs | Credential/secret exposure, DB access, lateral movement |
| Stealth & persistence | Registered as module/handler in web.config or applicationHost.config; survives recycles/reboots | Long dwell time; blends with legitimate modules |
| On-path interception | Hooks early pipeline events (BeginRequest, AuthenticateRequest, SendResponse) | Exfiltrates cookies, POST bodies, tokens before app logic/WAF normalization |
| Covert C2 | Activates on secret markers (header/cookie/query); uses normal HTTP(S) flows | Low-signal network artifacts |
Actor hypothesis: Your research suggests a China-nexus APT linkage. As of the publication date, this remains unverified, but the tradecraft overlaps strongly with 2025 reporting on IIS implants and machineKey/ViewState exploitation. Defenders should prioritize controls and hunts irrespective of the specific name.
Architecture and Injection Points inside IIS
| Injection layer | Typical file(s) | Registration locus | Install requirements | Notes for hunters |
|---|---|---|---|---|
| Native IIS module (C/C++) | .dll (global module) | applicationHost.config | Admin rights | High-performance and inconspicuous; audit for new global modules and unusual file locations |
| Managed IIS module (C#/.NET) | Assembly under \site\bin\ | web.config <system.webServer> | Write access to site root | Common post-RCE persistence; diff unexpected assemblies and config edits |
| Custom handler | Assembly + handler mapping | web.config <handlers> | As above | Intercepts selected routes/verbs |
| ViewState RCE | No new file required | Existing Web Forms pipeline | Valid machineKey | In-memory execution; zero disk touch; depends on key hygiene |
Exploitation Vectors
Compromising trust: credentials, CI/CD, supply chain
| Vector | Weakness exploited | Practical impact | Controls to apply |
|---|---|---|---|
| Stolen deployment creds | Password reuse, lack of MFA, exposed management | Direct module drop or global install | Enforce MFA, IP-restrict admin endpoints, rotate/vault secrets |
| CI/CD artifact poisoning | Unprotected branches, unsigned builds, persistent runners | Malicious DLL shipped as “legit” package | Immutable, signed artifacts; PR reviews; ephemeral runners |
| Insecure filesystem ACLs | App pool can write to code paths | Durable module/handler persistence | Enforce RX-only on code; scoped RW only where required |
machineKey abuse | Static/leaked keys | In-memory ViewState RCE | Rotate keys; remove static keys where possible; monitor ViewState anomalies |
ViewState/machineKey abuse in practice
Attackers who obtain valid ValidationKey/DecryptionKey can craft a malicious ViewState that passes MAC verification and decryption, causing the runtime to deserialize and execute attacker-controlled objects inside w3wp.exe. Because the payload is cryptographically valid, perimeter controls rarely flag it; host-based telemetry and key hygiene are essential.
Persistence, C2, and Evasion
| Stage | Behaviour | Analyst notes |
|---|---|---|
| Dormant | Idle until marker observed | Marker usually a distinctive header/cookie/query token pattern |
| Trigger | Parses encoded/encrypted command blob | Often Base64/JSON-like structure |
| Execute | In-memory actions; may attempt child process | Any w3wp.exe → cmd.exe/powershell.exe spawn is high-severity |
| C2 | HTTPS polling or tasking blended with normal traffic | Profile first-seen egress from w3wp.exe and periodicity |
Counter-EDR tactics: In-memory AMSI/ETW bypass and reflective assembly loads are common. Plan for memory inspection and assembly enumeration rather than signature-only detection.
Detection Engineering
File & configuration integrity
- FIM on app roots,
bin\,web.config,%windir%\System32\inetsrv\config\applicationHost.config. - Alert on adds/edits outside approved deployment windows and on unknown module/handler registrations.
Process and memory
- Baseline
w3wp.exebehaviour:- Alert on child processes (
cmd.exe,powershell.exe,rundll32.exe,wmic.exe). - Enumerate CLR AppDomains/assemblies; flag modules with no matching on-disk image or missing signatures.
- Detect RWX pages and reflective loads in
w3wp.exe.
- Alert on child processes (
Network & HTTP
- NDR to score periodic POSTs/unusual egress from
w3wp.exe; incorporate JA3 novelty and User-Agent anomalies. - WAF rules for oversized/structured headers and long, repetitive cookies often used as covert command carriers.
Example hunt ideas (tool-agnostic)
- New DLL in site bin: file-create in
\bin\*.dlloutside deployment window. - Config edit + egress:
web.configor global modules edited within 30 minutes preceding first-seen outbound fromw3wp.exe. - Assembly inventory drift: AppDomain assembly list changes without a correlated deployment.
Mitigation and Prevention
Immediate containment (suspected NET-STAR)
- Isolate the host or block outbound from
w3wp.exewhile preserving access for forensics. - Capture memory and dump
w3wp.exemodules/strings; enumerate CLR assemblies. - Collect IIS logs,
web.config/applicationHost.config, fullbin\contents, Scheduled Tasks, Services. - Rotate all reachable credentials/secrets including app pool identities, service accounts, connection strings, API keys, and
machineKey. - Rebuild from signed, known-good artifacts onto a fresh server; avoid in-place “repairs” on a suspected persistent host.
Filesystem ACLs (engineer checklist)
| Path scope | Principal | Required permission | Rationale |
|---|---|---|---|
App root & bin\ | IIS AppPool\<AppPoolName> | Read & Execute (RX) only | Blocks DLL drop/modify persistence |
App root & bin\ | Users / Everyone | Remove/Deny Write/Modify | Eliminates inherited write paths |
| Upload/Log/Temp dirs | IIS AppPool\<AppPoolName> | RW only on these dirs | Granular write where required |
Apply with icacls/PowerShell per site identity; avoid permissive group inheritance.Secret management & machineKey hygiene
- Do not use static keys sourced from docs/samples.
- Rotate ValidationKey/DecryptionKey across farms with strong secrets; for single servers, prefer no explicit
machineKeyto leverage secure local generation. - Encrypt sensitive
web.configsections (e.g.,connectionStrings). - Monitor ViewState size/entropy trends; disable legacy deserialization features not in use.
CI/CD and deployment controls
- MFA enforced for SCM, build, deploy, bastion/RDP, Web Deploy, and PowerShell Remoting.
- Immutable, signed artifacts only; verify signatures at deploy time.
- Protected branches with mandatory review; policy gates for SAST/DAST/secret scans.
- Ephemeral build runners; short-lived scoped tokens; rotate and revoke on suspicion.
Baseline IIS hardening
- Remove unused global modules; maintain an allow-list of expected module names/hashes internally.
- Restrict remote management interfaces to admin networks/bastions; log and alert on remote config changes.
- Keep Windows/IIS/.NET fully patched and apply vendor hardening baselines.
Mitigation Checklist for NET-STAR IIS Backdoor
Organisations can use this table as a structured self-audit tool to confirm they have addressed the key hardening, detection, and recovery controls needed to defend against NET-STAR-class IIS implants.
| Control Area | Mitigation Action | Status (☑ / ☐) | Owner / Team | Notes |
|---|---|---|---|---|
| Filesystem Permissions | Enforce Read & Execute only for Application Pool identities on code paths (bin\, app root). | ☐ | Prevents DLL persistence. | |
Remove/Deny Write for Users / Everyone on code directories. | ☐ | Eliminates inherited write access. | ||
| Restrict RW to upload, log, or temp folders only. | ☐ | Ensures app functionality without broad write. | ||
| Cryptographic Secrets | Audit and rotate all machineKey values. | ☐ | Prevent ViewState deserialization RCE. | |
| Remove static/hardcoded machineKeys from single-server apps. | ☐ | Forces secure auto-generation. | ||
Encrypt sensitive web.config sections (e.g., connectionStrings). | ☐ | Protects secrets at rest. | ||
| Deployment & CI/CD | Enforce MFA on SCM, build, deployment portals, RDP/PowerShell. | ☐ | Prevents credential-only compromise. | |
| Require signed, immutable artifacts in deployment. | ☐ | Blocks unsigned/malicious assemblies. | ||
| Apply branch protection and mandatory review policies. | ☐ | Stops unauthorised code injection. | ||
| Use ephemeral build runners and scoped tokens. | ☐ | Limits supply-chain persistence. | ||
| Monitoring & Detection | Enable File Integrity Monitoring (FIM) on web.config, applicationHost.config, bin\. | ☐ | Detects module injection attempts. | |
Configure EDR to flag w3wp.exe spawning child processes. | ☐ | Signals in-process code execution. | ||
Enumerate and alert on CLR assemblies in w3wp.exe with no matching disk image. | ☐ | Detects reflective/in-memory loads. | ||
| Tune NDR/WAF to detect abnormal headers, long cookies, and low-reputation outbound HTTPS. | ☐ | Surfaces covert C2. | ||
| Response & Recovery | Establish playbook for memory capture and artifact collection on IIS servers. | ☐ | Enables timely forensic investigation. | |
| Define process for full secret rotation (credentials, tokens, keys) if compromise suspected. | ☐ | Ensures containment. | ||
| Rebuild from clean hosts only using signed artifacts after suspected backdoor. | ☐ | Prevents persistence migration. |
This checklist doubles as a gap analysis worksheet for security teams, with clear columns for tracking ownership, current status, and action notes. It’s designed to be simple enough for operational teams to use in audits, while detailed enough for SOC and engineering staff to validate their controls.
Known Indicators of Compromise (IoCs)
FileHash-MD5
- 0867745cbc4568e97d050b905a4caa0b
- 5b458c03029de4833dd1f0c10ff66633
- 9b71ae4ce0a9560840ee734e88d22db5
FileHash-SHA1
- 16b7f439f516cd0ff3ae6945331e1ba20a849aba
- 51a4728ddfc67b8ec12d24475a4e50a5ed60dd84
- fb3b2ce44dcecef37ef23fbfe3860e5674229f76
FileHash-SHA256
- 3e55bf8ecaeec65871e6fca4cb2d4ff2586f83a20c12977858348492d2d0dec4
- afcb6289a4ef48bf23bab16c0266f765fab8353d5e1b673bd6e39b315f83676e
- b76e243cf1886bd0e2357cbc7e1d2812c2c0ecc5068e61d681e0d5cff5b8e038
- eeed5530fa1cdeb69398dc058aaa01160eab15d4dcdcd6cb841240987db284dc
Risk Assessment
| Factor | Rating | Justification |
|---|---|---|
| Scope of impact | High | In-process interception enables theft of tokens, credentials, PII and response manipulation |
| Actor sophistication | High (provisional) | Tradecraft overlaps with contemporary IIS module and ViewState exploitation operations |
| Detection difficulty | Moderate–High | Reflective loads, config blending, covert HTTPS tasking |
| Remediation complexity | High | Requires memory forensics, full credential/secret rotation, clean rebuild |
| Overall score | 6.6 🟠 Elevated | Uplifted for credible tradecraft overlap; provisional until NET-STAR IoCs are vendor-verified |
Conclusion
NET-STAR reflects the present-day IIS implant problem set: stealthy, modular, and powerful once inside w3wp.exe. Even without named IoCs, defenders can materially reduce risk by locking down filesystem permissions, securing cryptographic keys, instrumenting deep memory/HTTP telemetry, and hardening CI/CD. Treat in-process web tier compromise as a high-impact scenario and execute the containment and rebuild plan rather than relying on signature-only detection.
Sources
Microsoft Security Blog – Malicious IIS extensions quietly open persistent backdoors into servers – https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
The Hacker News - Phantom Taurus: New China-Linked Hacker Group Hits Governments With Stealth Malware - https://thehackernews.com/2025/09/phantom-taurus-new-china-linked-hacker.html
Cyber Press - NET-STAR Malware Delivered by New Chinese Nexus APT in Widespread Attacks - https://cyberpress.org/net-star-malware/
Microsoft Security Blog – Code injection attacks using publicly disclosed ASP.NET machine keys – https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/
OTX AlienVaul - Indicators of Compromise - https://otx.alienvault.com/pulse/68dc119747c51064f96051fc