A sophisticated nation-state actor, dubbed Praying Mantis or TG-1021, was found targeting Microsoft's Internet Information Services (IIS) web servers.

The storyline

According to the Sygnia Incident Response team, the modus operandi of the recent activity by TG-1021 hints that the group brings a decent experience in staying under the radar.
  • The group reportedly exploits an RCE bug in deserialization implementation in an ASP.NET application called Checkbox used to perform user surveys. In addition, it targeted an RCE flaw in Telerik UI for ASP.NET AJAX.
  • Actors have been delivering memory-resident malware to perform reconnaissance, credential harvesting, and lateral movement inside the compromised networks.
  • The malware used by this group exhibited a great effort to evade detection by meddling with logging mechanisms, successfully evading commercial EDRs, and quietly waiting for incoming connections.

How does exploitation works?

  • These RCE flaws are abused to load a malicious DLL into the memory of vulnerable web servers. It then reflectively loads the NodeIISWeb malware into the w3wp[.]exe process.
  • Sometimes, the group uses a web shell to load NodeIISWeb instead of a reflective DLL loader.
  • NodeIISWeb deploys a custom Windows backdoor, ExtDLL[.]dll, which can be used to gather system info, manipulate files and directories, load and execute DLLs, token manipulation, and code injection.


Spotting Praying Mantis' activities are challenging due to the unpredictable nature of malware and awareness of security measures. To stay protected, researchers recommend patching .NET deserialization vulnerabilities and scanning internet-facing IIS servers with YARA rules for detecting the group’s malicious activity.

Cyware Publisher