Cybersecurity researchers are shedding light on a Chinese-speaking cybercriminal group called UAT-8099, which is caused by search engine optimization (SEO) fraud and theft of high-value credentials, configuration files, and certificate data.
The attack is designed to target most infectious diseases reported in India, Thailand, Vietnam, Canada and Brazil, as well as many infectious diseases that spread to universities, tech companies and telecommunications providers. The group was first discovered in April 2025. The target is primarily mobile users, covering both Android and Apple iPhone devices.
UAT-8099 is the latest China-related actor engaged in SEO scams for financial gain. As last month, ESET revealed details of another threat actor named Ghostredirector. This allowed the malicious IIS module to compromise at least 65 Windows servers that are primarily in Vietnam with a malicious IIS module called Gamshen to promote SEO scams.
“UAT-8099 operates search rankings by focusing on reputable, highly valued IIS servers in the target region,” says Jay Chen, a researcher at Cisco Talos. “The group maintains persistence and changes SEO rankings using web shells, open source hacking tools, cobalt strikes, and various BADIIS malware. Automation scripts are customized to avoid defenses and hide activity.”
When a vulnerable IIS server is found either through a security vulnerability or a weak configuration of the web server’s file uploading capabilities, the threat actor uses the scaffold to upload a web shell to perform reconnaissance and collect basic system information. A financially motivated hacking group then allows guest accounts to escalate privileges up to the administrator and use it to enable Remote Desktop Protocol (RDP).
It has also been observed that UAT-8099 inserts an initial access path, maintains only control of the compromised host, and takes steps to prevent other threat actors from damaging the same server. Additionally, cobalt strikes will be deployed as a favourable backdoor after an explosion.
To achieve persistence, RDP is combined with VPN tools such as SoftAssisted VPN, Easytier, and Fast Reverse Proxy (FRP). The attack chain reaches its peak with the installation of Badiis malware. It is used by multiple Chinese-speaking threat clusters, such as DragonRank and Operation Rewrite (aka CL-Unk-1037).
UAT-8099 uses RDP to access the IIS server and use all-named graphical user interface (GUI) tools to search for valuable data within compromised hosts, resell or package it to further utilize. Currently, the number of servers the group has compromised is not currently clear.
However, the BADIIS malware deployed in this case is a variant that coordinates the code structure and functional workflow to avoid detection by anti-virus software. The SEO operational component works similar to GamShen in that it only kicks when a request comes from Google (i.e. the user agent is GoogleBot).
BADIIS can operate in three different modes –
The proxy that extracts the encoded embedded command and control (C2) server address and uses it as a proxy is used as a proxy to retrieve content from the secondary C2 server injector that intercepts browser requests caused by Google search results. Selected destination (fraudulent advertising or illegal gambling website) SEO scam. Encourage SEO scams by compromising multiple IIS servers and providing backlinks to artificially increase website rankings
“Actors are using traditional SEO technology called backlinks to increase the visibility of their websites,” Talos said. “Google’s search engines use backlinks to discover additional sites and assess keyword relevance.”
“A large number of backlinks makes it more likely that Google crawlers will visit your site. This will speed up ranking improvements and enhance web page exposure. However, simply accumulating backlinks regardless of quality can lead to penalties from Google.”
Source link
