Threat Intelligence Report

TOLLBOOTH: What's yours, IIS mine — Elastic Security Labs

📅 October 28, 2025 📰 www.elastic.co 🔍 0 CVE(s) referenced

A Chinese-speaking threat actor, REF3927, is exploiting publicly disclosed ASP.NET machine keys to globally compromise IIS servers, deploying the TOLLBOOTH malware for SEO cloaking, persistent access, and monetization through a sophisticated blend of webshells, rootkits, and remote management tools.

vendor

🔐 Sign In to Read Full Report

You'll need to accept our Terms of Service to access the platform.

📊 Visual Mindmap

🎯 IOC Extraction

⚔️ MITRE ATT&CK TTPs

📦 STIX 2.1 Bundle