China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware

Chinese Hackers Target Asian IIS Servers in Stealthy SEO Fraud Campaign

Cybersecurity researchers have uncovered a sophisticated campaign attributed to the China-linked threat actor UAT-8099, targeting vulnerable Internet Information Services (IIS) servers across Asia. The campaign, which ran from late 2025 through early 2026, shows a marked evolution in tactics and regional focus, with Thailand and Vietnam emerging as primary targets.

According to Cisco Talos, which first documented the group in October 2025, UAT-8099 has shifted from broad-based attacks to a more surgical approach targeting specific countries. The threat actor employs web shells and PowerShell scripts to deploy the GotoHTTP remote access tool, granting persistent control over compromised IIS servers.

The campaign demonstrates the group’s technical sophistication. After gaining initial access through exploited vulnerabilities or weak file upload configurations, the attackers execute reconnaissance commands, establish VPN connections, and create hidden user accounts—initially using “admin$” before switching to “mysql$” when security tools began flagging the original account name.

UAT-8099 has expanded its arsenal with several new tools. Sharp4RemoveLog erases Windows event logs, CnCrypt Protect hides malicious files, and OpenArk64—an open-source anti-rootkit utility—terminates security product processes. The group’s use of legitimate tools and red team utilities represents a significant evolution in their operational strategy to evade detection.

The malware deployed, known as BadIIS, has been customized into two distinct variants. BadIIS IISHijack specifically targets Vietnamese victims, while BadIIS asdSearchEngine focuses on Thai-language users. Both variants serve the same ultimate purpose: SEO fraud through search engine manipulation.

The attack mechanism is particularly insidious. When a search engine crawler visits an infected IIS server, it’s redirected to fraudulent SEO sites. For regular users whose browser requests include Thai language preferences in the Accept-Language header, the malware injects malicious JavaScript redirects directly into web page responses.

Cisco Talos identified three sophisticated variants within the BadIIS asdSearchEngine cluster. The “exclusive multiple extensions variant” maintains stealth by excluding resource-intensive file types from processing. The “load HTML templates variant” dynamically generates web content using embedded templates and placeholders. The “dynamic page extension/directory index variant” focuses exclusively on dynamic pages where SEO injection is most effective, avoiding static files that could generate suspicious error logs.

The campaign’s geographic focus is telling. While attacks span India, Pakistan, Thailand, Vietnam, and Japan, Cisco observed a “distinct concentration of attacks” in Thailand and Vietnam. This regional specificity suggests either political motivations or testing of more targeted exploitation techniques before potential expansion.

What makes this campaign particularly concerning is its persistence mechanisms. The threat actor creates multiple hidden accounts to ensure continued access even if some are discovered. The evolution from simple web shell deployment to complex multi-tool operations demonstrates UAT-8099’s growing sophistication and resources.

Evidence suggests the group is actively developing its Linux capabilities as well. An ELF binary artifact uploaded to VirusTotal in early October 2025 revealed proxy, injector, and SEO fraud modes, with targeting limited to major search engines like Google, Bing, and Yahoo.

The campaign’s success likely stems from organizations’ failure to patch IIS servers promptly and the increasing sophistication of Chinese state-sponsored cyber operations. With SEO fraud generating substantial revenue and the ability to compromise legitimate websites for extended periods, UAT-8099 represents a significant threat to Asian organizations’ digital infrastructure.

Cybersecurity experts recommend immediate patching of IIS servers, monitoring for unusual user account creation (particularly accounts with “$” suffixes), implementing web application firewalls, and conducting regular security audits of server configurations. The evolution of UAT-8099’s tactics serves as a stark reminder that threat actors continuously adapt their methods, requiring organizations to maintain equally dynamic defensive postures.

#ChineseHackers #CyberEspionage #IISSecurity #SEOFraud #UAT8099 #CyberAttack #ThreatActor #AsiaCyberSecurity #WebShell #PowerShellAttack #GotoHTTP #BadIIS #MalwareCampaign #CyberCrime #InformationSecurity #DataBreach #HackingGroup #DigitalForensics #NetworkSecurity #CyberDefense,