The analyzed threat challenges the assumption that all cyber threat actors operate with high sophistication and flawless execution. Through examination of three malware incidents, it is evident that attackers frequently encounter operational errors such as mistyped commands, failure to start malicious services, and difficulties evading Windows Defender. The malware campaigns leverage known persistence techniques (MITRE ATT&CK T1543, T1543.003), command and scripting execution (T1059 variants), and reconnaissance (T1082, T1087, T1016). The attackers deploy malware families including Warlock, Sparkrat, and ShellcodeRunner, targeting IIS web servers and Windows systems. Despite using similar infrastructure and tactics across attacks, the adversaries refine their methods based on trial and error, indicating a learning curve rather than advanced planning. Indicators of compromise include specific IP addresses (e.g., 103.36.25.169, 188.253.121.101) and malware hashes, as well as URLs hosting malicious tools. The absence of known exploits in the wild suggests these campaigns may be in early stages or limited scope. The study underscores the value of understanding attacker mistakes to enhance defensive strategies and improve detection of persistence and malware deployment attempts.

For European organizations, the impact of this threat lies primarily in the potential for persistent malware infections on IIS web servers and Windows endpoints, which could lead to unauthorized access, data exfiltration, or disruption of services. Although the attackers demonstrate operational errors, their persistence techniques and malware deployment capabilities pose a medium risk, especially to organizations with exposed IIS infrastructure. The trial-and-error nature of the attacks may result in repeated intrusion attempts, increasing the likelihood of eventual compromise if defenses are not adaptive. The presence of malware capable of evading or struggling against Windows Defender indicates that endpoint security solutions may be challenged, requiring enhanced monitoring. Disruption of web services or unauthorized lateral movement within networks could affect confidentiality, integrity, and availability of critical systems. European entities in sectors such as government, finance, and critical infrastructure, which rely heavily on IIS and Windows environments, may face increased exposure. The threat's medium severity suggests manageable risk if mitigations are promptly applied, but complacency could lead to escalated impacts.

1. Implement advanced monitoring and alerting for IIS web servers focusing on unusual persistence mechanisms, service creation, and command execution patterns consistent with T1543 and T1059 techniques. 2. Deploy endpoint detection and response (EDR) solutions capable of detecting and blocking malware families like Warlock, Sparkrat, and ShellcodeRunner, including heuristic analysis to catch attacker mistakes such as mistyped commands. 3. Regularly update and harden Windows Defender and complementary antivirus tools to improve detection rates against evolving malware variants. 4. Conduct proactive threat hunting using the provided IoCs (IP addresses and hashes) to identify and remediate infections early. 5. Restrict administrative privileges and enforce least privilege principles to limit malware persistence capabilities. 6. Harden IIS configurations by disabling unnecessary modules, applying security patches, and monitoring for unauthorized changes. 7. Use network segmentation to isolate critical web servers and limit lateral movement opportunities. 8. Educate security teams on recognizing attacker trial-and-error behaviors to enhance incident response and forensic investigations. 9. Block known malicious IP addresses and URLs at network perimeter devices to disrupt attacker infrastructure communication. 10. Continuously review and adapt security controls based on attacker adaptations observed in ongoing campaigns.