OwlProxy

OwlProxy is an IIS/HTTP proxy backdoor malware family with command-execution and tunneling functionality. It has been described as an HTTP proxy with backdoor capabilities first discovered in April 2020 in an attack targeting the Taiwanese government. Reported variants exist in both 32-bit and 64-bit forms. OwlProxy has been observed as an IIS-loaded HTTP request handler that registers specific HTTPS URL prefixes, receives inbound HTTP requests, executes commands locally, and returns output in web responses. Documented functionality includes encrypted command execution, installation of proxy handlers, and multi-stage proxying to reach internal non-internet-exposed hosts. In one analyzed variant (fuscom.dll), persistence was established via a Windows service named FastUserSwitchingCompatibility; another reported deployment wrote wmipd.dll to C:\windows\system32\ and created a service named WMI Provider. Observed URL patterns include /HelpTheme and /HelpTheme/pp/ in one variant, and /topics/ and /topics/pp/ in another, with parameters such as s?pa= for command execution and s?pp= for proxy setup. Traffic and parameters were reported as Base64-encoded and XOR-encrypted, including a scheme derived from the hardcoded Unicode string "20170502160306". Command prefixes reported for one variant include "w;" to execute and return output, "rk;" to execute without returning output, and "wf;" for a time-stomping-related function.

OwlProxy has been observed in compromises of Microsoft Exchange and IIS infrastructure, including IIS backdoors installed via web shells during exploitation of ProxyLogon vulnerabilities on on-premises Exchange servers. ESET observed OwlProxy on compromised email servers in Asia and South America during broader ProxyLogon exploitation by multiple APT groups. Unit 42 also observed OwlProxy in intrusion cluster CL-STA-0046 targeting a Southeast Asian government, where attackers used multiple web shells, reconnaissance utilities, SMB lateral movement, and additional tooling including SessionManager, Cobalt Strike, Meterpreter, EarthWorm, and SpoolFool. In that cluster, the combination of OwlProxy and SessionManager was assessed with moderate confidence to be associated with the Gelsemium APT group.

Reporting links OwlProxy to Chinese threat activity, though attribution is not fully settled across all cases. Telsy stated OwlProxy is primarily used by Chinese threat actors; CyCraft attributed OwlProxy to Chimera; ESET noted code overlap with Gelsevirine, which ESET attributed to Gelsemium; and Unit 42 associated OwlProxy use with Gelsemium in CL-STA-0046. Targeting mentioned in the reporting includes governments, public-sector entities, critical infrastructure, healthcare, finance-related administrators, ministries, and Exchange/IIS servers, particularly in East Asia, Southeast Asia, the Middle East, South America, and other regions affected by ProxyLogon exploitation.