Cybersecurity researchers have identified a renewed wave of attacks attributed to a China-linked threat group tracked as UAT-8099, targeting vulnerable Microsoft Internet Information Services (IIS) servers across Asia between late 2025 and early 2026.
The campaign, uncovered by Cisco Talos, primarily affected organizations in Thailand and Vietnam, although victims were also observed in India, Pakistan, and Japan. The full scope of the operation remains unclear, but analysts describe it as a continuation—and evolution—of earlier BadIIS-based SEO fraud activity.
From Web Shells to Persistent Control
According to Cisco Talos, UAT-8099 gains initial access by exploiting unpatched IIS vulnerabilities or insecure file upload configurations. Once inside, the attackers deploy web shells and PowerShell scripts to establish control and prepare the environment for long-term persistence.
A key component of the intrusion is the deployment of a remote administration utility known as GotoHTTP, which enables the group to manage compromised servers covertly. This tool is launched via a Visual Basic script downloaded and executed after the web shell is installed.
To further entrench itself, the group creates hidden administrator-level accounts—initially named “admin$”—to run its malicious services. As security tools increasingly flag this account name, the attackers have adapted by creating alternatives such as “mysql$”, along with additional hidden users, to maintain uninterrupted access.
Leveraging Legitimate Tools to Evade Detection
Researchers noted a strategic shift in UAT-8099’s operations. Rather than relying solely on custom malware, the group increasingly uses legitimate or dual-use utilities commonly found in red team engagements. These include tools to erase Windows event logs, conceal malicious files, disable security software processes, and establish VPN-based access using platforms like SoftEther and EasyTier.
This approach allows the attackers to blend in with normal administrative activity, reducing the likelihood of detection while sustaining control over infected servers.
Region-Specific BadIIS Variants
At the center of the campaign is BadIIS, a well-known malware family designed to manipulate search engine results. In this operation, UAT-8099 deployed two newly tailored variants:
- BadIIS IISHijack, primarily targeting servers in Vietnam
- BadIIS asdSearchEngine, focused on Thailand and systems with Thai language preferences
The malware inspects incoming web traffic to determine whether the visitor is a search engine crawler. If so, it redirects the crawler to attacker-controlled SEO spam pages. For regular users—particularly those with Thai language settings—the malware injects malicious JavaScript into web responses, forcing redirects to fraudulent destinations.
Advanced SEO Poisoning Techniques
Cisco Talos identified three distinct sub-variants within the BadIIS asdSearchEngine cluster. Each variant fine-tunes how and where malicious content is injected, prioritizing dynamic pages such as index.php or default.aspx that are more valuable for search engine manipulation.
By selectively avoiding static files and resource-heavy extensions, the malware minimizes server errors and suspicious logs—an intentional design choice to remain stealthy while maximizing SEO impact.
Expanding Beyond Windows Servers
Evidence also suggests that UAT-8099 is actively developing a Linux-compatible version of BadIIS. An ELF binary analyzed in late 2025 supports proxying, content injection, and SEO fraud, while narrowing its focus to major search engine crawlers operated by Google, Microsoft Bing, and Yahoo.
A Persistent SEO Fraud Threat
Security analysts assess UAT-8099 as part of a broader China-aligned ecosystem focused on monetization-driven cyber operations rather than traditional espionage. The group’s tactics overlap with a previously reported BadIIS campaign known as WEBJACK, indicating shared infrastructure and tooling.
As IIS servers continue to underpin countless business-critical websites across the region, researchers warn that unpatched systems remain attractive targets for SEO poisoning campaigns that can silently undermine brand trust, web traffic integrity, and search rankings.
