A sophisticated and persistent cyber threat, identified as the China-linked actor UAT-8099, has launched a renewed and evolving campaign targeting vulnerable Internet Information Services (IIS) servers across Asia. Cybersecurity researchers at Cisco Talos have uncovered this activity, which transpired between late 2025 and early 2026, revealing a concentrated focus on targets within Thailand and Vietnam. While the full scale of the operation remains under investigation, the tactics employed by UAT-8099 demonstrate a significant evolution in their black hat SEO fraud capabilities.
A Persistent and Evolving Threat
UAT-8099 first emerged on the cybersecurity radar in October 2025, when Cisco Talos detailed their exploitation of IIS servers in various regions, including India, Thailand, Vietnam, Canada, and Brazil, for the purpose of search engine optimization (SEO) fraud. This involved infecting servers with a known malware dubbed BadIIS. The group, assessed to be of Chinese origin, has been active since at least April 2025, with their methods sharing similarities with another BadIIS campaign, codenamed WEBJACK by Finnish vendor WithSecure in November 2025.
Geographical Focus and Tactical Shifts
The latest campaign broadens its geographical scope to include India, Pakistan, Thailand, Vietnam, and Japan, though Cisco Talos noted a “distinct concentration of attacks” in Thailand and Vietnam. Crucially, UAT-8099’s operational strategy has undergone significant refinement. While they continue to leverage familiar tools like web shells, SoftEther VPN, and EasyTier for controlling compromised IIS servers, their approach has become more nuanced.
“This latest campaign marks a shift in their black hat SEO tactics toward a more specific regional focus,” Talos explained. Furthermore, the threat actor is increasingly employing red team utilities and legitimate tools, a move designed to enhance evasion capabilities and ensure long-term persistence within compromised networks.
The Anatomy of an Attack: From Initial Access to SEO Fraud
The attack chain typically commences with UAT-8099 gaining initial access to an IIS server. This is often achieved by exploiting a known security vulnerability or leveraging weak configurations within the web server’s file upload features. Once inside, the actor embarks on a multi-stage process to deploy their malicious payloads.
Gaining Entry and Establishing Footholds
- Discovery and Reconnaissance: Initial commands are executed to gather crucial system information.
- VPN and Persistence: VPN tools are deployed, and persistence is established by creating a hidden user account, traditionally named “admin$”.
- Tool Deployment:
A suite of new tools is dropped, including Sharp4RemoveLog (for erasing Windows event logs), CnCrypt Protect (to conceal malicious files), OpenArk64 (an open-source anti-rootkit to terminate security product processes), and GotoHTTP (for remote server control).
- BadIIS Deployment: The BadIIS malware is then deployed using the newly created hidden account.
In a notable adaptation, as security products began flagging the “admin$” account, UAT-8099 has implemented a check to verify if the name is blocked. If so, they proceed to create a new hidden user account named “mysql$” to maintain uninterrupted access and continue running the BadIIS SEO fraud service. The group has also been observed creating additional hidden accounts to bolster their persistence.
Tools of the Trade: Evasion and Persistence
Another significant shift involves the sophisticated use of GotoHTTP for remote server control. This tool is launched via a Visual Basic Script, which is downloaded by a PowerShell command executed after a web shell has been deployed. This layered approach helps the attackers evade detection and maintain a covert presence.
BadIIS Malware: Regional Variants and Deceptive Redirects
The BadIIS malware deployed in these attacks features two new variants, each customized to target specific regions:
- BadIIS IISHijack: This variant is specifically designed to target victims in Vietnam.
- BadIIS asdSearchEngine: Primarily aimed at targets in Thailand or users with Thai language preferences.
The core objective of the malware remains consistent: SEO fraud. It meticulously scans incoming requests to IIS servers to determine if the visitor is a search engine crawler. If a crawler is detected, it is surreptitiously redirected to an SEO fraud site. However, if the request originates from a regular user and the ‘Accept-Language’ header indicates Thai, the malware injects HTML containing a malicious JavaScript redirect into the response.
Targeted Deception: asdSearchEngine Variants
Cisco Talos identified three distinct variants within the BadIIS asdSearchEngine cluster, each with unique functionalities:
- Exclusive Multiple Extensions Variant: This variant checks the file path in the request and ignores it if it contains an extension on its exclusion list, typically those that are resource-intensive or could negatively impact the website’s appearance.
- Load HTML Templates Variant: Featuring an HTML template generation system, this variant dynamically creates web content by loading templates from disk or using embedded fallbacks, replacing placeholders with random data, dates, and URL-derived content.
- Dynamic Page Extension/Directory Index Variant: This variant specifically checks if a requested path corresponds to a dynamic page extension or a directory index. Talos assesses that UAT-8099 implemented this feature to prioritize SEO content targeting while maintaining stealth. As SEO poisoning relies on injecting JavaScript links into pages that search engines crawl, this variant focuses on dynamic pages to maximize its impact.
The ongoing evolution of UAT-8099’s tactics underscores the critical need for robust cybersecurity measures. Organizations operating IIS servers in Asia, particularly in Thailand and Vietnam, must remain vigilant, prioritize patching known vulnerabilities, strengthen server configurations, and implement advanced monitoring to detect and mitigate such sophisticated threats.
For more details, visit our website.
Source: Link
Leave a comment