Analysis of Windows web server attacks during Q1 2026 reveals that Internet Information Services (IIS) and Apache Tomcat servers face persistent threats through web shell exploitation. The Larva-26001 threat actor has been targeting domestic IIS servers for several years, deploying privilege escalation tools including JuicyPotato, BadPotato, and exploiting CVE-2019-1458. Following privilege escalation, attackers utilize port-forwarding tools like HTran and PortTranC to redirect traffic to RDP port 3389, enabling remote control of compromised systems. Attack vectors include file upload vulnerabilities, Web Framework-WAS vulnerabilities, and unpatched RCE services. Additional malicious activities involve deployment of backdoors, CoinMiners, and proxy tools for internal network compromise.