Executive Summary

A coordinated campaign by a Chinese-speaking cybercrime group has compromised Internet Information Services (IIS) servers globally to conduct large-scale search engine optimization (SEO) fraud and credential theft. The group, tracked as UAT-8099 by Cisco Talos and CL-UNK-1037 by Palo Alto Networks Unit 42, leverages weak file upload settings on IIS servers to deploy web shells and the custom BadIIS malware. This enables attackers to manipulate search engine rankings, redirect users to illegal gambling and malicious sites, and exfiltrate sensitive data such as credentials and certificates. The campaign has affected organizations in India, Thailand, Vietnam, Canada, Brazil, and other regions, targeting sectors including universities, technology companies, telecommunications providers, and government entities. The attackers maintain persistence through privilege escalation, remote desktop access, and VPN tools, while employing advanced evasion techniques to avoid detection. All technical details and claims in this report are directly supported by primary sources from Cisco Talos, Palo Alto Networks Unit 42, and Trend Micro.

Technical Information

The campaign exploits vulnerable IIS servers by abusing weak file upload configurations, allowing attackers to upload open-source ASP.NET web shells. Once initial access is established, the attackers escalate privileges by enabling and elevating the guest account to administrator, and create hidden accounts such as "admin$" for persistent access. Remote Desktop Protocol (RDP) is enabled for direct access, and additional persistence is achieved using tools like SoftEther VPN, EasyTier, and FRP reverse proxy.

The attackers deploy the BadIIS malware, a malicious IIS module that intercepts and manipulates HTTP traffic. BadIIS is configured to detect search engine crawlers by analyzing HTTP headers for specific keywords (such as "google", "yahoo", "bing", "viet", "coccoc", "timkhap", "tuugo"). When a crawler is detected, BadIIS contacts a command-and-control (C2) server to retrieve and serve SEO-optimized HTML content, boosting the search ranking of attacker-controlled sites. For genuine users, the module proxies content from the C2 server, often redirecting them to illegal gambling or malicious websites.

The attackers use the Everything file search tool to locate valuable data, including logs, credentials, configuration files, and certificates. Data is consolidated in hidden directories, archived with WinRAR, and exfiltrated. Lateral movement is achieved through scheduled tasks and RDP, allowing the attackers to compromise additional servers and domain controllers within the victim network.

Automation scripts and batch files are used to install IIS modules and maintain persistence. The attackers also employ Cobalt Strike for backdoor access, using DLL sideloading and scheduled tasks to evade detection. The BadIIS malware has evolved to include new evasion features, such as altered code structure and simplified Chinese debug strings, resulting in low detection rates by antivirus products.

The campaign's primary impact is SEO fraud, manipulating search engine results to drive traffic to attacker-controlled sites for financial gain. Secondary impacts include theft of sensitive data and exposure of users to malicious content, including unauthorized advertisements, malware, and phishing schemes.

Attribution is supported by linguistic artifacts, infrastructure overlaps, and malware analysis, with high confidence in Chinese-speaking threat actor involvement. The campaign is linked with moderate confidence to Group 9 and with low confidence to DragonRank and Group11.

Affected Versions & Timeline

The campaign targets vulnerable versions of IIS servers with weak file upload configurations. Affected organizations include universities, technology companies, telecommunications providers, and government entities in India, Thailand, Vietnam, Canada, Brazil, Philippines, Singapore, Taiwan, South Korea, Japan, and Bangladesh. The campaign has been active since at least early 2024, with significant activity observed throughout 2025.

Key timeline events include the identification of new BadIIS malware samples on VirusTotal in 2025, the discovery of the campaign by Cisco Talos in April 2025, and corroborating reports from Palo Alto Networks Unit 42 (September 2025) and Trend Micro (February 2025). The campaign continues to evolve, with new evasion techniques and expanded targeting observed in recent months.

Threat Activity

The threat actors exploit public-facing IIS servers by uploading web shells through unrestricted file upload features. After gaining access, they escalate privileges, enable RDP, and create hidden administrator accounts for persistence. The attackers deploy BadIIS to manipulate HTTP responses, serving SEO-optimized content to search engine crawlers and redirecting users to malicious sites.

Lateral movement is achieved through scheduled tasks and RDP, allowing the attackers to compromise additional servers and domain controllers. Data collection focuses on credentials, configuration files, and certificates, which are archived and exfiltrated. The attackers use a combination of open-source tools, custom automation scripts, and advanced malware to maintain persistence and evade detection.

The campaign targets high-reputation IIS servers to maximize the impact of SEO fraud, leveraging the servers' existing domain authority to boost the search ranking of attacker-controlled sites. The attackers also implement defense mechanisms to prevent other threat actors from compromising the same servers or disrupting their setup.

Attribution to a Chinese-speaking cybercrime group is supported by linguistic artifacts in malware samples, infrastructure overlaps with known threat clusters, and similarities to previous campaigns. The group is tracked as UAT-8099 (Cisco Talos), CL-UNK-1037 (Unit 42), and is linked to Group 9 and DragonRank.

Mitigation & Workarounds

Critical mitigation steps include immediately reviewing and securing all IIS server file upload configurations to restrict allowed file types and prevent unauthorized uploads. Organizations should apply the latest security patches to IIS and underlying operating systems, and regularly audit user accounts for unauthorized or hidden administrator accounts such as "admin$". Disabling or restricting RDP access, especially from external networks, is essential to limit remote exploitation.

It is recommended to monitor for the presence of known web shells, BadIIS modules, and suspicious scheduled tasks. Organizations should deploy endpoint detection and response (EDR) solutions capable of identifying DLL sideloading, Cobalt Strike beacons, and unauthorized VPN or proxy tools such as SoftEther VPN, EasyTier, and FRP. Regularly review server logs for unusual file uploads, privilege escalations, and outbound connections to known C2 infrastructure.

Incident response teams should search for indicators of compromise (IoCs) associated with BadIIS and related malware, and conduct forensic analysis of affected systems. If compromise is suspected, isolate affected servers, reset credentials, and perform a comprehensive review of exfiltrated data.

User awareness training should emphasize the risks of phishing and malicious redirects, as end users may be exposed to unauthorized advertisements, gambling sites, or malware through compromised IIS servers.

References

Cisco Talos: https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/

Palo Alto Networks Unit 42: https://unit42.paloaltonetworks.com/operation-rewrite-seo-poisoning-campaign/

Trend Micro: https://www.trendmicro.com/en_us/research/25/b/chinese-speaking-group-manipulates-seo-with-badiis.html

About Rescana

Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously monitor and assess the security posture of their digital supply chain, including the detection of compromised assets, exposed services, and vulnerable configurations. Our platform supports rapid identification of at-risk systems and facilitates evidence-based incident response. For questions or further information, contact us at ops@rescana.com.