ReliaQuest's Agentic AI Uncovers New China-Linked Cluster OP-512

    Thursday, June 11, 2026 In: Threat Research Print

    Date: 06/11/2026

    Severity: Medium

    Summary

    OP-512 is a newly identified, likely China-linked cyberespionage cluster that targeted a compromised IIS web server to conduct long-term intelligence-gathering operations. The threat actor deployed a custom web shell framework featuring cryptographically unique payloads, encrypted access controls, and centralized management capabilities, making traditional signature-based detection ineffective. The campaign demonstrated persistent access, privilege escalation, and multiple command channels, highlighting a sophisticated espionage operation focused on maintaining stealthy, long-term access to targeted environments. 

    Indicators of Compromise (IOC) List

    Domains/URLs

    ashx.lhlsjcb.com

    hcgos.com

    IP Address

    43.160.202.246

    140.206.161.227

    124.156.129.151

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "ashx.lhlsjcb.com" or url like "ashx.lhlsjcb.com" or siteurl like "ashx.lhlsjcb.com" or domainname like "hcgos.com" or url like "hcgos.com" or siteurl like "hcgos.com"

    Detection Query 2 :

    dstipaddress IN ("140.206.161.227","43.160.202.246","124.156.129.151") or srcipaddress IN ("140.206.161.227","43.160.202.246","124.156.129.151")

    Reference:    

    https://reliaquest.com/blog/threat-spotlight-reliaquests-agentic-ai-uncovers-new-china-linked-cluster-op-512#iocs   


    Tags

    Threat ActorChinaCyber EspionageInternet Information Services (IIS)

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.