NET-STAR Backdoor Exploits IIS Modules for Persistent Access

NET-STAR Backdoor Exploits IIS Modules for Persistent Access

Threat Group – Phantom Taurus (China-linked APT)
Threat Type – In-process web server backdoor for IIS (.NET managed and native module tradecraft)
Exploited Vulnerabilities – ViewState abuse via compromised ASP.NET machineKey, insecure file write to application bin directory, misconfigured IIS extensibility, weak CI/CD controls, stolen deployment credentials (no CVEs assigned at time of writing)
Malware Used – NET-STAR (designation) with behaviors consistent with modern IIS implants
Threat Score – 6.6 🟠 ElevatedProvisional. Elevated due to credible overlap with current IIS in-process backdoor tradecraft
Last Threat Observation – 1 October 2025


Overview

NET-STAR is a modular .NET malware suite developed by the Phantom Taurus APT, a China-linked espionage group targeting government and enterprise infrastructure worldwide. NET-STAR executes inside IIS worker processes (w3wp.exe), allowing it to intercept HTTP requests, exfiltrate credentials, and persist stealthily as a trusted module.

Its toolkit includes:

  • IIServerCore – modular IIS backdoor with encrypted C2 and timestomping.
  • AssemblyExecuter V1 – loader executing .NET payloads directly in memory.
  • AssemblyExecuter V2 – improved loader with AMSI bypass and ETW suppression.

This design makes NET-STAR a high-risk backdoor, capable of covert persistence, long-term espionage, and bypassing many traditional defenses.


Threat Overview and Contextual Analysis

Why in-process IIS backdoors matter

PropertyWhat it means in IISOperational risk
High-privilege contextInherits Application Pool Identity; broad read/execute over app code and configsCredential/secret exposure, DB access, lateral movement
Stealth & persistenceRegistered as module/handler in web.config or applicationHost.config; survives recycles/rebootsLong dwell time; blends with legitimate modules
On-path interceptionHooks early pipeline events (BeginRequest, AuthenticateRequest, SendResponse)Exfiltrates cookies, POST bodies, tokens before app logic/WAF normalization
Covert C2Activates on secret markers (header/cookie/query); uses normal HTTP(S) flowsLow-signal network artifacts

Actor hypothesis: Your research suggests a China-nexus APT linkage. As of the publication date, this remains unverified, but the tradecraft overlaps strongly with 2025 reporting on IIS implants and machineKey/ViewState exploitation. Defenders should prioritize controls and hunts irrespective of the specific name.


Architecture and Injection Points inside IIS

Injection layerTypical file(s)Registration locusInstall requirementsNotes for hunters
Native IIS module (C/C++).dll (global module)applicationHost.configAdmin rightsHigh-performance and inconspicuous; audit for new global modules and unusual file locations
Managed IIS module (C#/.NET)Assembly under \site\bin\web.config <system.webServer>Write access to site rootCommon post-RCE persistence; diff unexpected assemblies and config edits
Custom handlerAssembly + handler mappingweb.config <handlers>As aboveIntercepts selected routes/verbs
ViewState RCENo new file requiredExisting Web Forms pipelineValid machineKeyIn-memory execution; zero disk touch; depends on key hygiene

Exploitation Vectors

Compromising trust: credentials, CI/CD, supply chain

VectorWeakness exploitedPractical impactControls to apply
Stolen deployment credsPassword reuse, lack of MFA, exposed managementDirect module drop or global installEnforce MFA, IP-restrict admin endpoints, rotate/vault secrets
CI/CD artifact poisoningUnprotected branches, unsigned builds, persistent runnersMalicious DLL shipped as “legit” packageImmutable, signed artifacts; PR reviews; ephemeral runners
Insecure filesystem ACLsApp pool can write to code pathsDurable module/handler persistenceEnforce RX-only on code; scoped RW only where required
machineKey abuseStatic/leaked keysIn-memory ViewState RCERotate keys; remove static keys where possible; monitor ViewState anomalies

ViewState/machineKey abuse in practice

Attackers who obtain valid ValidationKey/DecryptionKey can craft a malicious ViewState that passes MAC verification and decryption, causing the runtime to deserialize and execute attacker-controlled objects inside w3wp.exe. Because the payload is cryptographically valid, perimeter controls rarely flag it; host-based telemetry and key hygiene are essential.


Persistence, C2, and Evasion

StageBehaviourAnalyst notes
DormantIdle until marker observedMarker usually a distinctive header/cookie/query token pattern
TriggerParses encoded/encrypted command blobOften Base64/JSON-like structure
ExecuteIn-memory actions; may attempt child processAny w3wp.execmd.exe/powershell.exe spawn is high-severity
C2HTTPS polling or tasking blended with normal trafficProfile first-seen egress from w3wp.exe and periodicity

Counter-EDR tactics: In-memory AMSI/ETW bypass and reflective assembly loads are common. Plan for memory inspection and assembly enumeration rather than signature-only detection.


Detection Engineering

File & configuration integrity

  • FIM on app roots, bin\, web.config, %windir%\System32\inetsrv\config\applicationHost.config.
  • Alert on adds/edits outside approved deployment windows and on unknown module/handler registrations.

Process and memory

  • Baseline w3wp.exe behaviour:
    • Alert on child processes (cmd.exe, powershell.exe, rundll32.exe, wmic.exe).
    • Enumerate CLR AppDomains/assemblies; flag modules with no matching on-disk image or missing signatures.
    • Detect RWX pages and reflective loads in w3wp.exe.

Network & HTTP

  • NDR to score periodic POSTs/unusual egress from w3wp.exe; incorporate JA3 novelty and User-Agent anomalies.
  • WAF rules for oversized/structured headers and long, repetitive cookies often used as covert command carriers.

Example hunt ideas (tool-agnostic)

  • New DLL in site bin: file-create in \bin\*.dll outside deployment window.
  • Config edit + egress: web.config or global modules edited within 30 minutes preceding first-seen outbound from w3wp.exe.
  • Assembly inventory drift: AppDomain assembly list changes without a correlated deployment.

Mitigation and Prevention

Immediate containment (suspected NET-STAR)

  1. Isolate the host or block outbound from w3wp.exe while preserving access for forensics.
  2. Capture memory and dump w3wp.exe modules/strings; enumerate CLR assemblies.
  3. Collect IIS logs, web.config/applicationHost.config, full bin\ contents, Scheduled Tasks, Services.
  4. Rotate all reachable credentials/secrets including app pool identities, service accounts, connection strings, API keys, and machineKey.
  5. Rebuild from signed, known-good artifacts onto a fresh server; avoid in-place “repairs” on a suspected persistent host.

Filesystem ACLs (engineer checklist)

Path scopePrincipalRequired permissionRationale
App root & bin\IIS AppPool\<AppPoolName>Read & Execute (RX) onlyBlocks DLL drop/modify persistence
App root & bin\Users / EveryoneRemove/Deny Write/ModifyEliminates inherited write paths
Upload/Log/Temp dirsIIS AppPool\<AppPoolName>RW only on these dirsGranular write where required
Apply with icacls/PowerShell per site identity; avoid permissive group inheritance.

Secret management & machineKey hygiene

  • Do not use static keys sourced from docs/samples.
  • Rotate ValidationKey/DecryptionKey across farms with strong secrets; for single servers, prefer no explicit machineKey to leverage secure local generation.
  • Encrypt sensitive web.config sections (e.g., connectionStrings).
  • Monitor ViewState size/entropy trends; disable legacy deserialization features not in use.

CI/CD and deployment controls

  • MFA enforced for SCM, build, deploy, bastion/RDP, Web Deploy, and PowerShell Remoting.
  • Immutable, signed artifacts only; verify signatures at deploy time.
  • Protected branches with mandatory review; policy gates for SAST/DAST/secret scans.
  • Ephemeral build runners; short-lived scoped tokens; rotate and revoke on suspicion.

Baseline IIS hardening

  • Remove unused global modules; maintain an allow-list of expected module names/hashes internally.
  • Restrict remote management interfaces to admin networks/bastions; log and alert on remote config changes.
  • Keep Windows/IIS/.NET fully patched and apply vendor hardening baselines.

Mitigation Checklist for NET-STAR IIS Backdoor

Organisations can use this table as a structured self-audit tool to confirm they have addressed the key hardening, detection, and recovery controls needed to defend against NET-STAR-class IIS implants.

Control AreaMitigation ActionStatus (☑ / ☐)Owner / TeamNotes
Filesystem PermissionsEnforce Read & Execute only for Application Pool identities on code paths (bin\, app root).Prevents DLL persistence.
Remove/Deny Write for Users / Everyone on code directories.Eliminates inherited write access.
Restrict RW to upload, log, or temp folders only.Ensures app functionality without broad write.
Cryptographic SecretsAudit and rotate all machineKey values.Prevent ViewState deserialization RCE.
Remove static/hardcoded machineKeys from single-server apps.Forces secure auto-generation.
Encrypt sensitive web.config sections (e.g., connectionStrings).Protects secrets at rest.
Deployment & CI/CDEnforce MFA on SCM, build, deployment portals, RDP/PowerShell.Prevents credential-only compromise.
Require signed, immutable artifacts in deployment.Blocks unsigned/malicious assemblies.
Apply branch protection and mandatory review policies.Stops unauthorised code injection.
Use ephemeral build runners and scoped tokens.Limits supply-chain persistence.
Monitoring & DetectionEnable File Integrity Monitoring (FIM) on web.config, applicationHost.config, bin\.Detects module injection attempts.
Configure EDR to flag w3wp.exe spawning child processes.Signals in-process code execution.
Enumerate and alert on CLR assemblies in w3wp.exe with no matching disk image.Detects reflective/in-memory loads.
Tune NDR/WAF to detect abnormal headers, long cookies, and low-reputation outbound HTTPS.Surfaces covert C2.
Response & RecoveryEstablish playbook for memory capture and artifact collection on IIS servers.Enables timely forensic investigation.
Define process for full secret rotation (credentials, tokens, keys) if compromise suspected.Ensures containment.
Rebuild from clean hosts only using signed artifacts after suspected backdoor.Prevents persistence migration.

This checklist doubles as a gap analysis worksheet for security teams, with clear columns for tracking ownership, current status, and action notes. It’s designed to be simple enough for operational teams to use in audits, while detailed enough for SOC and engineering staff to validate their controls.


Known Indicators of Compromise (IoCs)

FileHash-MD5

  • 0867745cbc4568e97d050b905a4caa0b
  • 5b458c03029de4833dd1f0c10ff66633
  • 9b71ae4ce0a9560840ee734e88d22db5

FileHash-SHA1

  • 16b7f439f516cd0ff3ae6945331e1ba20a849aba
  • 51a4728ddfc67b8ec12d24475a4e50a5ed60dd84
  • fb3b2ce44dcecef37ef23fbfe3860e5674229f76

FileHash-SHA256

  • 3e55bf8ecaeec65871e6fca4cb2d4ff2586f83a20c12977858348492d2d0dec4
  • afcb6289a4ef48bf23bab16c0266f765fab8353d5e1b673bd6e39b315f83676e
  • b76e243cf1886bd0e2357cbc7e1d2812c2c0ecc5068e61d681e0d5cff5b8e038
  • eeed5530fa1cdeb69398dc058aaa01160eab15d4dcdcd6cb841240987db284dc

Risk Assessment

FactorRatingJustification
Scope of impactHighIn-process interception enables theft of tokens, credentials, PII and response manipulation
Actor sophisticationHigh (provisional)Tradecraft overlaps with contemporary IIS module and ViewState exploitation operations
Detection difficultyModerate–HighReflective loads, config blending, covert HTTPS tasking
Remediation complexityHighRequires memory forensics, full credential/secret rotation, clean rebuild
Overall score6.6 🟠 ElevatedUplifted for credible tradecraft overlap; provisional until NET-STAR IoCs are vendor-verified

Conclusion

NET-STAR reflects the present-day IIS implant problem set: stealthy, modular, and powerful once inside w3wp.exe. Even without named IoCs, defenders can materially reduce risk by locking down filesystem permissions, securing cryptographic keys, instrumenting deep memory/HTTP telemetry, and hardening CI/CD. Treat in-process web tier compromise as a high-impact scenario and execute the containment and rebuild plan rather than relying on signature-only detection.


Sources

Microsoft Security Blog – Malicious IIS extensions quietly open persistent backdoors into servers – https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/

The Hacker News - Phantom Taurus: New China-Linked Hacker Group Hits Governments With Stealth Malware - https://thehackernews.com/2025/09/phantom-taurus-new-china-linked-hacker.html

Cyber Press - NET-STAR Malware Delivered by New Chinese Nexus APT in Widespread Attacks - https://cyberpress.org/net-star-malware/

Microsoft Security Blog – Code injection attacks using publicly disclosed ASP.NET machine keys – https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/

OTX AlienVaul - Indicators of Compromise - https://otx.alienvault.com/pulse/68dc119747c51064f96051fc