Cybersecurity researchers have discovered a new campaign attributed to a China-linked threat actor known as UAT-8099 that took place between late 2025 and early 2026.
The activity, discovered by Cisco Talos, targeted vulnerable Internet Information Services (IIS) servers across Asia, with a particular focus on targets in Thailand and Vietnam. The scale of the campaign is unknown at this time.
“UAT-8099 uses a web shell and PowerShell to run scripts and deploy the GotoHTTP tool, allowing attackers remote access to vulnerable IIS servers,” security researcher Joey Chen said in a breakdown of the campaign on Thursday.
UAT-8099 was first documented by a cybersecurity firm in October 2025, detailing attackers exploiting IIS servers located in India, Thailand, Vietnam, Canada, and Brazil to facilitate search engine optimization (SEO) fraud. This attack involves infecting servers with a known piece of malware called BadIIS.
The hacking group is believed to be of Chinese origin, with the attacks dating back to April 2025. This threat cluster also shares similarities with another BadIIS campaign codenamed WEBJACK developed by Finnish cybersecurity vendor WithSecure in November 2025, based on overlapping tools, command and control (C2) infrastructure, and victim footprints.
The latest campaign focused on compromising IIS servers in India, Pakistan, Thailand, Vietnam and Japan, with Cisco saying it observed a “distinguished concentration of attacks” in Thailand and Vietnam.
“Threat actors continue to rely on web shells, SoftEther VPN, and EasyTier to control compromised IIS servers, but their operational strategies have evolved significantly,” Talos explains. “First, this latest campaign signals a shift towards more geographically focused blackhat SEO tactics. Second, this threat actor is increasingly leveraging red team utilities and legitimate tools to evade detection and maintain long-term viability.”
The attack chain typically begins with UAT-8099 gaining initial access to an IIS server by exploiting a security vulnerability or weak configuration in the web server’s file upload functionality. Following this, the threat actor begins a series of steps to deploy a malicious payload.
Run discovery and reconnaissance commands to collect system information Deploy VPN tools and create a hidden user account named “admin$” to establish persistence Drop new tools such as Sharp4RemoveLog (deletes Windows event logs), CnCrypt Protect (hide malicious files), OpenArk64 (open source anti-rootkit to terminate security product processes), and GotoHTTP (remote control of servers) Use the newly created account Deploying BadIIS malware
As security products take steps to flag the “admin$” account, the attackers add a new check to see if the name is blocked, and if so, proceed to create a new user account named “mysql$” to maintain access and run the BadIIS SEO fraud service without interruption. Additionally, UAT-8099 has been observed to create more hidden accounts to ensure persistence.
Another notable change revolves around the use of GotoHTTP to remotely control infected servers. This tool is launched by a Visual Basic script that is downloaded by a PowerShell command that is run after the web shell is deployed.
The BadIIS malware introduced in the attack is two new variants customized to target specific regions. BadIIS IISHijack identifies victims in Vietnam, while BadIIS asdSearchEngine primarily targets Thai targets or users who prefer the Thai language.
The end goal of malware remains largely unchanged. Scans incoming requests to your IIS server to determine if the visitor is a search engine crawler. In that case, the crawler will be redirected to an SEO scam site. However, if the request comes from a normal user and the Accept-Language header of the request indicates Thai, HTML containing a malicious JavaScript redirect is injected into the response.
Cisco Talos announced that it has identified three different variants within the BadIIS asdSearchEngine cluster.
Exclusive multiple extension variants. It checks file paths in requests and ignores extensions in the exclusion list that are resource-intensive or may interfere with the appearance of your website. HTML template loading variant. Includes an HTML template generation system that dynamically creates web content by loading templates from disk or using embedded fallbacks to replace placeholders with random data, dates, and URL-derived content. Dynamic page extension/directory index variant. The requested path is a dynamic page extension or directory index.
Regarding the third variant, Talos said, “We believe threat actor UAT-8099 implemented this feature to prioritize SEO content targeting while maintaining stealth.”
“Because SEO poisoning relies on the injection of JavaScript links into pages that are crawled by search engines, the malware focuses on dynamic pages where these injections are most effective (default.aspx, index.php, etc.). Moreover, by restricting the hook to other specific file types, the malware avoids processing incompatible static files, thereby preventing the generation of suspicious server error logs.”
There are also signs that attackers are actively improving the Linux version of BadIIS. The ELF binary artifacts uploaded to VirusTotal in early October 2025 still include proxies, injectors, and SEO fraud modes, but are now limited to search engines of Google, Microsoft Bing, and Yahoo!.
Source link
