← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Q1 2026 malware statistics report for Windows web servers
WHITE Larva-26001 AlienVault 2026-04-14 Modified: 2026-04-14
8
IOCs
LOW VOLUME
Analysis of Windows web server attacks during Q1 2026 reveals that Internet Information Services (IIS) and Apache Tomcat servers face persistent threats through web shell exploitation. The Larva-26001 threat actor has been targeting domestic IIS servers for several years, deploying privilege escalation tools including JuicyPotato, BadPotato, and exploiting CVE-2019-1458. Following privilege escalation, attackers utilize port-forwarding tools like HTran and PortTranC to redirect traffic to RDP port 3389, enabling remote control of compromised systems. Attack vectors include file upload vulnerabilities, Web Framework-WAS vulnerabilities, and unpatched RCE services. Additional malicious activities involve deployment of backdoors, CoinMiners, and proxy tools for internal network compromise.
iisapache tomcatjspratcve-2019-1458windows web serversprivilege escalationbadpotatordp compromiseporttrancweb shellhtranport forwardingprintspoofercoinminerjuicypotato
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
JuicyPotato BadPotato HTran PortTranC Jsprat PrintSpoofer
Indicators of Compromise (8)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2019-1458 2026-04-14
FileHash-MD5 0f0a43507e9fb6adb3c4dac92072cec2 2026-04-14
FileHash-MD5 141f13b3aae7a0e2410bb3a59101df75 2026-04-14
FileHash-MD5 297e9a406f4a7b361882320d9801cfa0 2026-04-14
FileHash-MD5 33034332feae99284adb3e20e8fa534f 2026-04-14
FileHash-MD5 5b3ed99a5ef7ee49436e38a6fc7bf50d 2026-04-14
FileHash-SHA1 4504e0d9d5843a1b6637dcff2e7a8875fd774b4a 2026-04-14
FileHash-SHA256 aa0db29e00c33ba522540485b545ca0da7d2a7e8186f54a8a4dabd9438884c1d 2026-04-14
References (1)
↗ https://asec.ahnlab.com/en/93335/