Q1 2026 malware statistics report for Windows web servers

Analysis of Windows web server attacks during Q1 2026 reveals that Internet Information Services (IIS) and Apache Tomcat servers face persistent threats through web shell exploitation. The Larva-26001 threat actor has been targeting domestic IIS servers for several years, deploying privilege escalation tools including JuicyPotato, BadPotato, and exploiting CVE-2019-1458. Following privilege escalation, attackers utilize port-forwarding tools like HTran and PortTranC to redirect traffic to RDP port 3389, enabling remote control of compromised systems. Attack vectors include file upload vulnerabilities, Web Framework-WAS vulnerabilities, and unpatched RCE services. Additional malicious activities involve deployment of backdoors, CoinMiners, and proxy tools for internal network compromise.

Pulse ID: 69de008da466f2dc89165990
Pulse Link: https://otx.alienvault.com/pulse/69de008da466f2dc89165990
Pulse Author: AlienVault
Created: 2026-04-14 08:53:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APAC #Apache #BackDoor #CoinMiner #CyberSecurity #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Proxy #RCE #RDP #Tomcat #Windows #bot #AlienVault