Wednesday, May 7, 2025
Homecyber securityNew C++-Based IIS Malware Mimics cmd.exe to Evade Detection

New C++-Based IIS Malware Mimics cmd.exe to Evade Detection

Published on

SIEM as a Service

Follow Us on Google News

A recent discovery by Palo Alto Networks’ Unit 42 has shed light on sophisticated malware targeting Internet Information Services (IIS) servers.

This malware, developed in C++/CLI, a rare choice for malware authors, has been designed to mimic the behavior of cmd.exe to evade detection.

The malware operates as a passive backdoor, integrating itself into the IIS server by registering for HTTP response events.

- Advertisement - Google News

It filters incoming HTTP requests for specific headers, which are used to execute commands.

The commands and data are encrypted using AES and then Base64-encoded, adding a layer of complexity to its operations.

Technical Analysis

The malware has two versions, both of which were uploaded to VirusTotal from Thailand.

The newer version, compiled on May 9, 2023, employs a custom cmd.exe wrapper tool to execute commands, reducing the visibility of its activities by avoiding direct cmd.exe invocation from the IIS process.

IIS Malware
 IIS backdoor event handler as shown by dnSpyEx.

This wrapper application is embedded within the malware and communicates via a named pipe, allowing it to redirect command-line commands from the command and control (C2) server and return results.

The malware supports a range of commands, including file management, process execution, and system information retrieval.

According to the Report, it also patches AMSI and ETW routines to evade detection by security software.

The use of C++/CLI for this malware is notable due to its rarity in the malware landscape.

This choice likely stems from the language’s ability to combine managed and unmanaged code, making analysis more challenging.

The malware’s sophistication and targeted nature suggest it may have been used in specific attacks, although attribution to a known threat actor remains elusive.

Detection and Protection

Palo Alto Networks’ Advanced WildFire and Cortex XDR/XSIAM solutions offer enhanced protection against this malware by leveraging memory analysis and behavioral threat protection.

These tools can identify and block both known and unknown malware, providing a robust defense mechanism against such sophisticated threats.

As the cybersecurity landscape continues to evolve, staying informed about emerging threats and employing advanced security solutions is crucial for organizations seeking to protect their infrastructure.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...