China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware
Cybersecurity researchers have identified a sophisticated campaign orchestrated by the China-linked threat actor known as UAT-8099, active between late 2025 and early 2026. This operation has primarily targeted vulnerable Microsoft Internet Information Services (IIS) servers across Asia, with a pronounced focus on entities in Thailand and Vietnam. The exact scale of this campaign remains undetermined.
According to Cisco Talos, UAT-8099 employs web shells and PowerShell scripts to deploy the GotoHTTP tool, granting remote access to compromised IIS servers. This method allows the threat actor to maintain persistent control over the infected systems.
First documented in October 2025, UAT-8099 has been linked to exploiting IIS servers in countries including India, Thailand, Vietnam, Canada, and Brazil. The group’s activities are characterized by the deployment of a malware variant known as BadIIS, facilitating search engine optimization (SEO) fraud. These attacks have been traced back to April 2025, with overlaps observed in tools, command-and-control infrastructure, and targeted regions, suggesting similarities with other campaigns like WEBJACK.
The latest campaign has expanded its reach to IIS servers in India, Pakistan, Thailand, Vietnam, and Japan, with a notable concentration in Thailand and Vietnam. UAT-8099’s operational strategy has evolved, now incorporating red team utilities and legitimate tools to evade detection and ensure long-term persistence.
Attack Methodology:
The attack sequence initiated by UAT-8099 involves:
1. Initial Access: Exploiting security vulnerabilities or weak configurations in the web server’s file upload feature to gain entry.
2. Reconnaissance: Executing commands to gather system information.
3. Persistence: Deploying VPN tools and creating hidden user accounts, such as admin$, to maintain access.
4. Tool Deployment: Introducing tools like Sharp4RemoveLog (for removing Windows event logs), CnCrypt Protect (for hiding malicious files), OpenArk64 (an anti-rootkit tool to terminate security processes), and GotoHTTP (for remote server control).
5. Malware Deployment: Installing BadIIS malware using the newly created accounts.
To counteract security measures that flag the admin$ account, UAT-8099 has adapted by creating alternative hidden accounts, such as mysql$, ensuring uninterrupted access and operation of the BadIIS SEO fraud service.
A significant shift in tactics includes the use of GotoHTTP for remote control of infected servers. This tool is executed via a Visual Basic Script, downloaded through a PowerShell command initiated after deploying a web shell.
BadIIS Malware Variants:
The BadIIS malware has been customized into two new variants targeting specific regions:
– BadIIS IISHijack: Targets victims in Vietnam.
– BadIIS asdSearchEngine: Aims at targets in Thailand or users with Thai language preferences.
The primary objective of these malware variants is to manipulate SEO rankings by redirecting search engine crawlers to fraudulent sites. For regular users, especially those with Thai language settings, the malware injects malicious JavaScript redirects into the server’s responses.
Cisco Talos has identified three distinct variants within the BadIIS asdSearchEngine cluster:
1. Exclusive Multiple Extensions Variant: Ignores requests containing specific file extensions to avoid resource-intensive processes or disruptions to the website’s appearance.
2. Load HTML Templates Variant: Utilizes an HTML template generation system to dynamically create web content by loading templates from disk or using embedded fallbacks, replacing placeholders with random data, dates, and URL-derived content.
3. Dynamic Page Extension/Directory Index Variant: Focuses on dynamic pages (e.g., default.aspx, index.php) where SEO injections are most effective, while avoiding static files to prevent suspicious server error logs.
These adaptations indicate UAT-8099’s commitment to refining their techniques to enhance SEO manipulation while maintaining stealth.
Ongoing Developments:
Evidence suggests that UAT-8099 is actively developing its Linux version of BadIIS. An ELF binary artifact uploaded to VirusTotal in early October 2025 includes proxy, injector, and SEO fraud modes, now limiting targeted search engines to crawlers from Google, Microsoft Bing, and Yahoo!.
This campaign underscores the persistent threat posed by UAT-8099 and similar groups, highlighting the need for robust security measures to protect IIS servers from such sophisticated attacks.
