This analysis challenges the perception that all cyber threat actors operate with high sophistication and flawless execution. It examines three malware incidents involving families such as Warlock, Sparkrat, and ShellcodeRunner targeting IIS web servers and Windows endpoints. The attackers utilize known MITRE ATT&CK techniques including persistence via service creation (T1543, T1543.003), command and scripting execution (T1059 variants), reconnaissance (T1082, T1087, T1016), and defense evasion (T1562). However, the campaigns reveal frequent operational errors such as mistyped commands, failure to start malicious services, and difficulties evading Windows Defender, indicating a trial-and-error approach rather than advanced planning. The adversaries reuse infrastructure and tactics but adapt based on setbacks encountered. Indicators of compromise include specific IP addresses (e.g., 103.36.25.169, 188.253.121.101), malware hashes, and URLs hosting malicious tools. No known exploits in the wild have been reported, suggesting these campaigns may be in early or limited stages. The study highlights that recognizing attacker mistakes and adaptations provides valuable insights for improving cybersecurity defenses and detection strategies.

For European organizations, this threat primarily risks persistent malware infections on IIS web servers and Windows systems, potentially leading to unauthorized access, data theft, or disruption of critical services. Although attackers demonstrate operational errors, their use of persistence techniques and malware deployment capabilities poses a medium risk, especially for entities with exposed IIS infrastructure. The trial-and-error nature may result in repeated intrusion attempts, increasing the chance of eventual compromise if defenses are not adaptive. Endpoint security solutions like Windows Defender may be challenged, requiring enhanced monitoring and complementary tools. Disruptions could affect confidentiality, integrity, and availability of systems, impacting sectors such as government, finance, and critical infrastructure that heavily rely on IIS and Windows environments. Prompt mitigation can manage risks, but complacency could lead to escalated impacts and lateral movement within networks.

1. Implement advanced monitoring and alerting on IIS web servers to detect unusual persistence mechanisms, service creation, and command execution patterns aligned with MITRE ATT&CK techniques T1543 and T1059. 2. Deploy Endpoint Detection and Response (EDR) solutions capable of heuristic analysis to detect malware families like Warlock, Sparkrat, and ShellcodeRunner, including identifying attacker operational errors such as mistyped commands. 3. Regularly update and harden Windows Defender and antivirus tools to improve detection of evolving malware variants. 4. Conduct proactive threat hunting using provided IoCs (IP addresses and hashes) to identify and remediate infections early. 5. Enforce least privilege principles and restrict administrative privileges to limit malware persistence capabilities. 6. Harden IIS configurations by disabling unnecessary modules, applying security patches promptly, and monitoring for unauthorized changes. 7. Use network segmentation to isolate critical web servers and limit lateral movement opportunities. 8. Educate security teams on recognizing attacker trial-and-error behaviors to enhance incident response and forensic investigations. 9. Block known malicious IP addresses and URLs at network perimeter devices to disrupt attacker infrastructure communication. 10. Continuously review and adapt security controls based on observed attacker adaptations in ongoing campaigns.