Statistical Report on Malware Targeting Windows Web Servers in Q1 2026
Description.
AhnLab SEcurity intelligence Center (ASEC) analyzed the attack status and malware statistics of Windows web servers in the first quarter of 2026 based on AhnLab Smart Defense (ASD) logs.
the analysis covers Internet Information Services (IIS) and Apache Tomcat web servers in Windows environments.
command execution through the web shell is the main path of compromise, and subsequent malicious behaviors such as privilege escalation, proxy tools, backdoors, and CoinMiners are frequently identified.
Purpose and Scope.
the purpose of this report is to summarize the victimization status, number of attacks, and malware classification statistics through verified logs for the first quarter of 2026.
Key statistics.
- attacks against Windows web servers have been ongoing since the past, and in Q1 2026, we covered attack cases from the Larva-26001 threat actor. The Larva-26001 threat actor has been attacking domestic IIS web servers for at least several years, installing port-forwarding tools and privilege escalation malware.
- in the attack process, JuicyPotato, BadPotato, and the privilege escalation tool CVE-2019-1458 were used for privilege escalation.
- after that, HTran (LCX) and PortTranC tools are utilized to perform port forwarding, mainly targeting port 3389, which is the RDP port. It is believed that the attacker is using it to mediate with the RDP service to seize control of the infected system.
Conclusion.
windows web server attacks tend to be launched via file upload vulnerabilities, web framework-WAS vulnerabilities, or RCE of unpatched services.
web shells are utilized as the primary means of penetration, and a combination of privilege escalation and proxy tools lead to internal network takeover and RDP-based remote control.
the report recommends patching known vulnerabilities, tightening access controls such as firewalls, and updating antivirus (V3).
