Statistical Report on Malware Targeting Windows Web Servers in Q2 2025
Overview
AhnLab SEcurity intelligence Center (ASEC) is using the AhnLab Smart Defense (ASD) infrastructure to respond to and categorize attacks against poorly managed Windows web servers. This report covers the current state of damage to Windows web servers which had become the target of attacks based on the logs identified in the second quarter of 2025 and also discusses statistics on the attacks targeting said servers. Furthermore, malware used in each attack will be categorized with a summary of the statistical details.
Statistics
1. Status of Attacks on Windows Web Servers
The following are statistics on attacks against Windows web servers identified through AhnLab’s ASD logs in the second quarter of 2025.
Figure 1. Attacks against Windows web servers in Q2, 2025
The “Damage status” indicates the quantity of systems that have become targets of malware or threat actors. In other words, systems where the Windows web server has been confirmed as compromised by a threat actor to facilitate malware installation. The Windows web servers discussed here refer to Internet Information Services (IIS) web servers installed in Windows environments and Apache Tomcat web servers. Attacks that target web servers include vulnerability attacks against environments that do not have the necessary security patch applied, attacks against inappropriately set-up environments, and attacks against poorly managed servers.
Generally, threat actors targeting web servers often utilize file upload vulnerabilities to upload web shells and execute commands. However, besides this method, they can also exploit vulnerabilities in web development frameworks or Web Application Servers (WAS) to upload web shells. Of course, instead of using the file upload method, they can directly execute commands by exploiting remote code execution vulnerabilities.
The “Attack status” shows the number of times threat actors or malware attacked the system. For reference, these vulnerable Windows web servers are generally targeted by multiple threat actors and malware simultaneously, leading to the simultaneous detection of logs related to various malware.
