Web Shell Activity on Internet-Facing Support Portal Followed by Archive Collection

A public-facing support portal (support.company-example.com) was compromised on 2026-04-08 when attackers uploaded a malicious ASPX web shell (support/assets/help_image.aspx). Server logs show repeated POST requests from 203.0.113.77, execution of system commands, creation of C:\Windows\Temp\support_export_20260408.zip containing customer data, and outbound connections to 198.51.100.61 over TCP 8443 (user agent: python-requests/2.31.0), consistent with data collection and suspected exfiltration.