ReliaQuest Agentic AI SOC Correlation Surfaces China-Linked IIS Espionage Cluster OP-512 — Proof Point for AI-Assisted Threat Detection

ReliaQuest published a threat spotlight on June 5 documenting that its agentic AI correlated dispersed, seemingly unrelated endpoint and network telemetry to identify and escalate a China-linked espionage cluster (OP-512) targeting Internet-facing Microsoft IIS servers running end-of-life .NET Framework 4.0. The attackers deployed three custom web shells with per-deployment cryptographic uniqueness, encrypted command channels, reflective loading, timestomping, and DNS-based self-reporting of deployed URLs. Detection relied on behavioral signals from w3wp.exe DNS queries and ASP.NET temporary compilation paths, not signatures.

This is a documented production instance of agentic AI performing multi-signal event correlation that human analysts at typical SOC dwell times would have missed — not just summarisation. For security teams evaluating AI-assisted SOC tools, it illustrates both the detection value and the governance requirement: AI correlation must be paired with explainable evidence trails and human validation before escalation, because the same confidence that surfaces real threats can also suppress weak evidence from human review.

SOC teams and MDR buyers should evaluate whether their AI correlation tools produce explainable evidence trails; IR teams handling IIS environments should implement the OP-512 behavioral detections (w3wp.exe hex-encoded DNS queries, anomalous .ashx responses); infrastructure teams should audit and retire EoL .NET Framework 4.0 hosts.