A reported espionage cluster tied to custom IIS web shells shows how ordinary ASP.NET handlers can become a quiet foothold on exposed servers.