UAT-8099 Targets IIS Servers with BadIIS SEO Malware

January 31, 2026 Faeem BLOGS 0

Cisco Talos researchers have uncovered a new campaign by China-linked threat actor UAT-8099, active between late 2025 and early 2026, targeting vulnerable Internet Information Services (IIS) servers across Asia—particularly in Thailand and Vietnam.

Campaign Overview

  • Threat Actor: UAT-8099 (China-linked).
  • Targets: IIS servers in India, Pakistan, Thailand, Vietnam, Japan (with concentration in Thailand & Vietnam).
  • Initial Access: Exploiting IIS vulnerabilities or weak file upload settings.
  • Persistence: Hidden accounts (admin$, fallback mysql$) created to maintain access.
  • Tools Used:
    • Web shells & PowerShell for execution.
    • GotoHTTP for remote control.
    • SoftEther VPN & EasyTier for covert access.
    • Sharp4RemoveLog (clear event logs).
    • CnCrypt Protect (hide malicious files).
    • OpenArk64 (terminate security processes).

BadIIS Malware Variants

  • BadIIS IISHijack – Targets victims in Vietnam.
  • BadIIS asdSearchEngine – Targets Thailand or Thai-language users.
  • Core Functionality:
    • Scans incoming IIS requests.
    • If crawler → redirect to SEO fraud site.
    • If user with Thai language header → inject malicious JavaScript redirect.

Three distinct variants in asdSearchEngine cluster:

  1. Exclusive multiple extensions variant – Avoids resource-heavy/static file types.
  2. Load HTML templates variant – Dynamically generates SEO content using templates/randomized data.
  3. Dynamic page extension/directory index variant – Focuses injections on dynamic pages (e.g., default.aspx, index.php) for maximum SEO poisoning impact.

Evolution of Tactics

  • Shift from broad SEO fraud to regional targeting (Thailand & Vietnam).
  • Increased use of red team utilities and legitimate tools to evade detection.
  • GotoHTTP launched via VBScript + PowerShell for stealthy remote control.
  • Development of Linux BadIIS variant (ELF binary) with proxy, injector, and SEO fraud modes—targeting only Google, Bing, Yahoo crawlers.

Strategic Impact

  • SEO poisoning: Redirects search engine crawlers to fraudulent sites, boosting malicious domains.
  • Stealth: Avoids static file injections to reduce suspicious error logs.
  • Persistence: Multiple hidden accounts ensure long-term access.
  • Cross-platform expansion: Refinement of Linux variant shows intent to broaden attack surface.

Defensive Recommendations

  • Patch IIS vulnerabilities and harden file upload settings.
  • Audit accounts: Look for hidden accounts (admin$, mysql$).
  • Monitor logs: Detect event log tampering and suspicious PowerShell activity.
  • Network controls: Restrict external access to IIS servers, enforce VPN monitoring.
  • Threat hunting: Watch for SEO poisoning indicators (unexpected redirects, injected JavaScript).

Takeaway

UAT-8099’s BadIIS campaign demonstrates how state-linked actors weaponize IIS servers for SEO fraud and covert persistence. By evolving tactics—regional targeting, hidden accounts, and Linux variants—the group is refining its ability to blend cybercrime with espionage-style persistence. Organizations in Asia, especially Thailand and Vietnam, must prioritize patching, monitoring, and account auditing to defend against this ongoing threat.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.