A sophisticated cyber campaign, identified as Operation Rewrite, has been actively compromising Microsoft Internet Information Services (IIS) web servers to serve malicious content through search engine optimization (SEO) poisoning. This operation, uncovered by Palo Alto Networks in March 2025, is attributed with high confidence to a Chinese-speaking threat actor utilizing a malicious IIS module known as BadIIS. The primary objective is financial gain by manipulating search engine results to redirect unsuspecting users to unwanted websites, such as gambling and pornography platforms.
Understanding BadIIS Malware and SEO Poisoning
At the core of this operation is BadIIS, a malicious native module for Microsoft’s IIS web server software. First identified in 2021, these modules integrate directly into the web server’s core processes, granting them high-level privileges. This deep integration allows the malware to intercept, inspect, and modify all incoming and outgoing web traffic. Attackers leverage this control to inject malicious code, redirect users, and steal sensitive information without being easily detected.
The attackers employ BadIIS to conduct SEO poisoning. Instead of building new malicious websites, which are difficult to rank in search engines, they compromise established sites that already have a good reputation. By injecting popular search keywords into the compromised site’s content, they trick search engines like Google and Bing into ranking the site for a wide range of unrelated queries.
The Two-Phase Attack Strategy
The Operation Rewrite campaign unfolds in two distinct phases designed to first deceive search engines and then ensnare human victims.
1. The Lure Phase: The attack begins when a search engine crawler (like Googlebot) visits a compromised server. The BadIIS module detects the crawler by inspecting its `User-Agent` header. It then communicates with a command-and-control (C2) server to fetch keyword-rich, poisoned content. This content is served only to the crawler, causing the search engine to index the legitimate website for popular but irrelevant terms. Analysis shows a specific focus on East and Southeast Asia, with keywords for Vietnamese search engines and terms related to illegal soccer streaming services.
2. The Trap Phase: Once the search results are poisoned, the trap is set. When a user clicks on the malicious search result, the BadIIS module identifies them as a human victim by checking the `Referer` header. Instead of showing the expected webpage, the module contacts the C2 server again to fetch a redirect link to a scam website. The compromised server acts as a reverse proxy, seamlessly sending the victim to the attacker-controlled destination.
Attribution and Technical Insights
Palo Alto Networks has linked this activity cluster, tracked as CL-UNK-1037, to a Chinese-speaking threat group. The name Operation Rewrite stems from the Pinyin transliteration chongxiede (重写), meaning rewrite, which was found as an object name in the malware’s code. Further investigation revealed additional linguistic evidence, including code comments written in simplified Chinese characters.
The group’s toolkit is not limited to the native BadIIS module. The investigation uncovered several variants, demonstrating the actor’s adaptability. These include lightweight ASP.NET page handlers, managed .NET IIS modules, and an all-in-one PHP script, all designed to achieve the same SEO poisoning goals through different technical means.
Broader Context of IIS Server Exploitation
The exploitation of IIS servers is not an isolated incident. Various threat actors have targeted these servers using different methodologies:
– GhostRedirector Hackers: This group compromised at least 65 Windows servers globally, deploying custom malware designed to manipulate search engine results for financial gain. They utilized a malicious IIS module called Gamshen to conduct sophisticated SEO fraud schemes, primarily benefiting gambling websites. The attacks have been active since at least August 2024, employing tools like the Rungan backdoor and the Gamshen IIS module. The primary beneficiaries of this scheme are various gambling websites targeting Portuguese-speaking users. The compromised servers span sectors such as healthcare, retail, transportation, education, and technology, with the majority located in Brazil, Thailand, and Vietnam. Additional victims were identified in the United States, Peru, Canada, and parts of Europe and Asia. The attack chain begins with what is believed to be an SQL injection vulnerability for initial access, followed by the use of PowerShell or CertUtil to download their arsenal from a staging server. To gain full control, they employ publicly known privilege escalation exploits like EfsPotato and BadPotato to create new administrator-level user accounts on the server. These rogue accounts provide persistent access, ensuring the attackers can maintain control even if their primary backdoors are discovered and removed. The group’s toolkit also includes other custom utilities, such as Zunput, a tool that scans the server for active websites and drops multiple webshells to provide alternative methods of remote access. The shared code libraries and infrastructure across these tools allowed researchers to cluster the activity and attribute it to a single group. While the immediate impact on website visitors is minimal, participation in the SEO fraud scheme can severely damage the compromised host’s reputation by associating it with black-hat SEO tactics.
– DragonRank Group: This Chinese-speaking hacking group has been targeting Microsoft IIS servers to deploy the BadIIS malware, a tool used for SEO fraud and malicious content injection. The campaign has affected over 35 IIS servers across Asia, Europe, and beyond, spanning industries such as government, technology, telecommunications, and academia. BadIIS operates in two primary modes: SEO Fraud Mode and Injector Mode. In SEO Fraud Mode, BadIIS alters HTTP headers by checking fields like User-Agent and Referer. If these fields indicate traffic from search engine crawlers (e.g., Google, Bing, Baidu), the malware redirects requests to illicit gambling websites or other fraudulent destinations. This tactic boosts the ranking of attacker-controlled sites by exploiting the credibility of compromised servers. In Injector Mode, BadIIS injects obfuscated JavaScript into legitimate server responses. This malicious code redirects users to phishing sites or malware-hosting pages. The attack chain begins with the exploitation of vulnerabilities in web applications like WordPress and phpMyAdmin to deploy web shells such as ASPXSpy. These shells act as conduits for installing BadIIS and other tools like PlugX, a remote access trojan (RAT). Attackers also use credential-harvesting utilities like Mimikatz and PrintNotifyPotato for lateral movement within networks. The campaign appears financially motivated, generating revenue by redirecting users to illegal gambling websites or scam pages while simultaneously boosting the SEO rankings of their clients’ websites.
– UAT-6382 Hackers: This sophisticated cyber threat group has been actively exploiting a critical zero-day vulnerability in Cityworks, a popular asset management system used by local governments across the United States. The vulnerability, tracked as CVE-2025-0994, allows remote code execution and has been under active exploitation since January 2025. The attackers have demonstrated a particular interest in systems related to utilities management, raising concerns about potential disruption to critical infrastructure. The exploit targets the Cityworks application running on Microsoft IIS servers, giving attackers an initial foothold into government networks. Once inside, the threat actors rapidly deploy a variety of web shells and custom malware to maintain persistent access. The intrusions have primarily affected local governing bodies in the United States, with attackers quickly pivoting to systems containing sensitive infrastructure data.
Mitigation Strategies
To protect against such threats, organizations using IIS servers should adopt the following measures:
– Regular Patching: Ensure all IIS servers are updated with the latest security patches.
– Access Controls: Restrict administrative access using strong passwords and multi-factor authentication (MFA).
– Monitoring: Continuously monitor IIS logs for anomalies such as unexpected module installations or unusual traffic patterns.
– Firewalls: Deploy firewalls to control inbound and outbound traffic.
– Secure Configurations: Disable unnecessary services and features on IIS servers.
The exploitation of IIS servers through malicious modules like BadIIS underscores the importance of securing web servers against advanced threats. Organizations must proactively address vulnerabilities in their infrastructure to prevent exploitation by financially motivated threat actors. Failure to do so could result in reputational damage, legal liabilities, and loss of user trust.
