TOLLBOOTH
TOLLBOOTH is a malicious IIS backdoor/module deployed on compromised Windows IIS/ASP.NET servers. Reporting links its deployment to the REF3927 intrusion cluster, a Chinese-speaking threat actor that exploited misconfigured ASP.NET applications reusing publicly exposed machine keys, enabling ViewState deserialization for initial access. After compromise, the actor deployed webshells, attempted account creation and credential dumping, used the legitimate RMM tool GotoHTTP, and attempted to install a modified Hidden rootkit; Elastic assessed the actor’s primary monetization objective was deployment of TOLLBOOTH.
TOLLBOOTH provides SEO cloaking, a management channel, and webshell functionality. It was observed in 32-bit and 64-bit forms, including both native and .NET managed variants. It dynamically retrieves per-victim configuration from hxxps://c[.]cseo99[.]com/config/<victim_HTTP_host_value>.json. The native variant stores Gzip-compressed config/cache files under C:\Windows\Temp_FAB234CD3-09434-8898D-BFFC-4E23123DF2C, while the managed variant stores AES-encrypted (key: YourSecretKey123; IV: 0123456789ABCDEF) and Gzip-compressed files under C:\Windows\Temp\AcpLogs.
Its webshell is exposed at /mywebdll and uses the hardcoded password hack123456! for uploads and command execution; form submission sends POST requests to /scjg. TOLLBOOTH also exposes management/debug endpoints including /health, /debug, /conf, and /clean, gated by specific bot-like User-Agent strings such as Googlebot and bingbot variants. For SEO cloaking, it distinguishes bots from human visitors using User-Agent and Referer matching rules from its configuration, fingerprints visitors, and reports to hxxps://api[.]aseo99[.]com/client/landpage to obtain redirect destinations.
Victimology indicates broad, untargeted global deployment rather than sector-specific targeting: Validin and Elastic identified 571 actively infected IIS servers worldwide at the time of publication, with a notable absence of victims in China, suggesting geofencing. The malware is also referred to in the provided content as HijackServer.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...deploy TOLLBOOTH (aka HijackServer) that comes with SEO cloaking and web shell capabilities.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
IIS backdoor/module deployed using publicly exposed ASP.NET machine keys; provides SEO cloaking and web shell-like remote command execution capability.
A malicious IIS module/backdoor deployed on compromised Windows IIS servers. It supports SEO cloaking (serving keyword-stuffed/link-farm content to crawlers while redirecting human visitors), exposes a webshell endpoint (/mywebdll) with a hardcoded password, and provides operator management/debug endpoints (/health, /debug, /conf, /clean) gated by specific User-Agent strings. It dynamically retrieves per-victim configuration from attacker infrastructure and can also serve a loader that pulls an obfuscated JavaScript next stage for page hijacking/content replacement.
Windows trojan identified by unique byte patterns and strings associated with its execution and functionality.
SEO cloaking modules deployed on compromised IIS servers.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.