[danielodievich]

Nobody sane runs FREB at full prod load on public sites. It's not installed by default. It is highly useful for troubleshooting but not at production traffic. Seems like if you're inside IIS already by some mystic hack you already own the space.

[Someone1234]

This malware is enabling FREB then injecting malware into it. The point is to hide the exploitation better than simply injecting a custom module. You don't need to be running FREB previously.

Plus I don't find the "nobody does [XYZ]" when talking about a supported feature of a popular product reassuring, there's always a somebody or the feature would have been removed since it costs money to support and maintain it.