Persistence mechanisms are a critical aspect of these attacks. Malicious DLL modules can be loaded into IIS worker processes, particularly w3wp.exe, enabling attackers to maintain control even after system patches and reboots. The heavy code obfuscation obscures attackers’ activities, complicating efforts by security teams to analyze and remediate the threats.
Web shells are executed within legitimate IIS processes, resulting in minimal system behavior anomalies and allowing for long-term covert operations. Affected systems include Microsoft IIS servers, especially those running SharePoint Server 2016, 2019, and Subscription Edition. Several critical SharePoint vulnerabilities, including CVE-2025-53770 and CVE-2025-53771, have been exploited to facilitate web shell deployment. Servers lacking timely patches or exhibiting poor configuration management are at greater risk.
The known vulnerabilities often exploited, such as unauthenticated endpoint access, have been cataloged by CISA, emphasizing the urgency for organizations to update their systems. Additionally, the attack profile includes a significant escalation in the sophistication of web shell attacks, demonstrating the urgent need for improved defenses. The deployment of malicious scripts following exploitation is a common tactic used by attackers to establish persistence.
The prevalence of web shell attacks has surged, with an average of approximately 140,000 detections per month as of early 2021, and this trend has continued into 2025. Windows-based IIS servers serve as prime targets for threat actors because of their widespread usage.
These attacks grant hackers complete remote control over server environments, resulting in unauthorized data access and posing significant operational risks to organizations globally. The growing sophistication and accessibility of web shell tools are lowering the complexity barrier for attackers, leading to increased competition among malicious actors for access.
