Statistical Report on Malware Targeting Windows Web Servers in Q1 2025

Overview

AhnLab SEcurity intelligence Center (ASEC) responds to and classifies attacks that target inappropriately managed Windows web servers by utilizing the AhnLab Smart Defense (ASD) infrastructure. This post covers the damage status of Windows web servers that have been targeted in attacks and provides statistics on the attacks based on the logs identified in the first quarter of 2025. Additionally, it classifies the malware used in each attack and compiles detailed statistics.

 

Statistics

1. Current Status of Attacks Targeting Windows Web Servers

The following are the statistics of Windows web server-targeted attacks detected through AhnLab Smart Defense (ASD) logs in the first quarter of 2025.

 

Figure 1. Status of attacks targeting Windows web servers in the Q1 2025

 

The “Impact” section shows the number of systems that have been targeted by malware or threat actors. These are systems that have been confirmed to have been infected with malware after the threat actor gained control over the Windows web server. The term “Windows Web Server” in this context refers to web servers such as Internet Information Services (IIS) and Apache Tomcat installed in a Windows environment. Attacks on web servers typically involve exploiting vulnerabilities in environments that have not been patched for security, attacking misconfigured environments, or attacking servers that are not being properly managed.

 

Threat actors who attack web servers typically upload a web shell by exploiting file upload vulnerabilities and use it to execute commands. However, other methods are also used, such as exploiting vulnerabilities in the web development framework itself or the Web Application Server (WAS) to upload a web shell. Of course, instead of using the file upload method, they may directly execute commands by exploiting remote code execution vulnerabilities.

 

The “Attack Status” section displays the number of attacks performed by malware or threat actors against the system. Vulnerable Windows web servers are typically targeted by multiple threat actors and malware, so logs of various malware infections are often identified simultaneously.