—
In June 2026, cybersecurity experts uncovered a coordinated and sophisticated cyber intrusion that began with the compromise of a Microsoft Internet Information Services (IIS) server. Attackers exploited this vulnerability to gain initial access, and within a remarkably short timeframe of just 24 hours, they deployed a previously unseen ransomware payload across an enterprise network. This incident highlights the alarming capabilities of modern threat actors who can execute highly organized and rapidly evolving attacks.
The operation reflects a meticulous and hands-on key approach, coupled with automated lateral movement techniques. This suggests that the attackers possess resources and expertise that allow them to target multiple systems and organizations simultaneously, enhancing their operational scope beyond just a single victim.
The attack commenced when the adversaries breached an internet-facing IIS server, subsequently uploading an ASP.NET web shell to establish a foothold within the network. Within three hours of obtaining this initial access, they efficiently executed commands via the IIS worker process. This allowed them to launch essential system utilities, including cmd.exe and PowerShell, facilitating extensive reconnaissance and system manipulation.
One of the initial tactics employed by the attackers was a User Account Control (UAC) bypass, allowing them to escalate privileges and activate Remote Desktop Protocol (RDP). They also created a local persistence account, laying the groundwork for their sustained presence within the network. Notably, they aimed to evade detection right from the onset of the attack. To do this, the intruders targeted various endpoint security tools using native utilities like WMIC and MpCmdRun.exe.
Credential access was a crucial step in this intricate operation. The attackers successfully dumped the Security Account Manager (SAM) hive into a secured archive and extracted credentials from the Local Security Authority Subsystem Service (LSASS) memory. This dual-phase credential harvesting enabled immediate as well as scalable access across the compromised domain, significantly enhancing the attackers’ reach.
To maintain robust command-and-control capabilities, the threat actors implemented several tunneling techniques, including reverse SOCKS proxies known as revsocks, a modified Chisel application masquerading as chrome.exe, and a Cloudflare Tunnel client. These tools allowed the perpetrators to create redundant encrypted communication channels over port 443, thereby bypassing conventional network security controls.
The infrastructure used for payload delivery incorporated external IP-hosted resources and alternative staging domains. In an innovative approach to evade detection, the attackers disguised some malicious files with .jpg extensions.
According to findings from the Symantec Threat Hunter Team, this nefarious campaign targeted an IT services organization located in South Asia. The operation culminated in the deployment of a new ransomware strain identified as “Spirals,” built on the Rust programming language.
That same night, the attackers initiated lateral movement using Windows Management Instrumentation (WMI), aggressively targeting numerous systems in quick succession, presumably leveraging credentials belonging to domain administrators. The rapid execution of this lateral movement suggested pre-enumeration of Active Directory assets, allowing the attackers to swiftly pivot across the network.
By the following day, they transitioned to PsExec for mass deployment, launching a base64-encoded PowerShell payload that executed across dozens of devices per minute. This malicious payload not only disabled Microsoft Defender protections but also terminated various critical services associated with backup, virtualization, and database platforms, such as VMware, Veeam, SQL Server, Oracle, and SAP. This strategic maneuver ensured file accessibility before encryption — a hallmark of contemporary ransomware tactics.
The Spirals ransomware payload was distributed across multiple strategic locations, positioning itself within the Windows directory, user desktops, SYSVOL domain scripts, and network shares hosted on domain controllers. Such placement facilitated both direct execution and propagation through domain replication mechanisms. The encryption process utilized per-file AES-128 keys secured with an ECDH P-256 public key, delivering robust cryptographic protection. Notably, files larger than 5 MB were encrypted using an efficient chunk-based technique to optimize performance.
Additionally, the ransomware featured capabilities for process termination, obfuscation, and privilege escalation, signaling a well-developed codebase. Victims were directed to a Tor-based negotiation portal via a ransom note saved in C:\RECOVERY_SECTION.log, with threats of data leakage within six days – underscoring the double extortion model typical of contemporary ransomware operations.
Investigators uncovered an onion site linked to the “Spirals” branding, though the identity of the attackers remains shrouded in mystery. Moreover, the perpetrators strategically placed various tunneling binaries within directories characteristic of IIS web application paths and Windows scheduled tasks, effectively blending their malicious artifacts with legitimate operational frameworks.
Despite this attack being recorded as a singular incident thus far, the operational discipline, speed, and layered evasion strategies exhibited by the threat actors strongly indicate their potential to conduct more extensive campaigns in the future. The combination of IIS exploitation, rapid privilege escalation, automated lateral movement, and enterprise-wide ransomware deployment signifies a disturbing trend towards highly compressed attack timelines.
Organizations that expose IIS servers to the internet are urged to consider this incident as a critical warning, especially regarding the attackers’ ability to transition swiftly from initial access to total domain compromise in under 24 hours. Organizations must bolster their defenses and prioritize cybersecurity vigilance to thwart future threats of this magnitude.
—

