Paying the TOLL: how REF3927 turned 571 IIS servers into an SEO fraud network

Thursday 15 October 15:00 - 15:30, Green room   

Salim Bitam & Jia Yu Chan (Elastic)

What happens when a cryptographic key meant to protect your web application is copy-pasted from StackOverflow or Microsoft's own documentation? For a Chinese-speaking threat actor we track as REF3927, these publicly disclosed ASP.NET machine keys became the entry point to a global campaign – and hundreds of IIS servers worldwide found out the hard way.

Elastic Security Labs and Texas A&M University System Cybersecurity investigated an intrusion where the attacker exploited a reused machine key to forge malicious ViewState payloads and achieve code execution via deserialization. Through collaboration with Validin's scanning infrastructure, we identified 571 actively infected IIS servers worldwide – notably excluding China – across all industry verticals, indicating opportunistic, automated targeting. The investigation remains ongoing, as we continue to track the threat actor's operations.

Post-compromise, REF3927 deploys a Godzilla-forked webshell framework (Z-Godzilla_ekp), the GotoHTTP RMM tool for persistent access, and a modified version of the open-source "Hidden" kernel rootkit using DKOM to conceal processes, files, and registry artifacts. The campaign's ultimate objective is installing TOLLBOOTH, a malicious IIS module that transforms compromised servers into nodes in a sprawling SEO fraud network. TOLLBOOTH serves keyword-stuffed link farm pages to search engine crawlers while fingerprinting and redirecting human visitors to attacker-controlled landing pages, and exposes a built-in webshell.

Despite the scale of this campaign, in-depth public analysis of financially motivated actors weaponizing .NET deserialization in the wild remains scarce. This presentation will detail the full kill chain, from ViewState deserialization to rootkit internals to TOLLBOOTH's SEO monetization engine, and provide reverse engineering insights into each tooling component, detection rules, and practical remediation guidance.

Salim Bitam Salim Bitam is a senior threat researcher at Elastic Security Labs, focusing on dissecting advanced cyber threats and automating the analysis of complex binaries. He is recognized for his research into novel malware and high-stakes intrusions, where he builds custom configuration extractors and develops detection rules to counter evolving threats. Salim actively shares his findings through technical blogs and community resources, helping fellow researchers stay ahead of both state-sponsored and financially motivated threat actors.

Jia Yu Chan Jia Yu Chan is a malware research engineer at Elastic Security Labs, where he focuses on hunting and analysing novel threats, reverse engineering malware, and developing YARA detection rules. His research spans a broad range of adversary tradecraft, from commodity infostealers and MaaS ecosystems to sophisticated loader chains, signed driver abuse, and post-exploitation frameworks targeting enterprise environments. He regularly publishes his findings as technical articles for the wider security community.

Back to VB2026 Programme page

Back to VB2026 conference page

Register your interest for VB2026

Other VB2026 papers