Sep 23, 2025Ravie LakshmananSEO Poisoning / Malware
Cybersecurity researchers are calling consideration to a search engine marketing (website positioning) poisoning marketing campaign possible undertaken by a Chinese language-speaking menace actor utilizing a malware referred to as BadIIS in assaults concentrating on East and Southeast Asia, significantly with a concentrate on Vietnam.
The exercise, dubbed Operation Rewrite, is being tracked by Palo Alto Networks Unit 42 underneath the moniker CL-UNK-1037, the place “CL” stands for cluster and “UNK” refers to unknown motivation. The menace actor has been discovered to share infrastructure and architectural overlaps with an entity known as Group 9 by ESET and DragonRank.
“To carry out website positioning poisoning, attackers manipulate search engine outcomes to trick folks into visiting surprising or undesirable web sites (e.g., playing and porn web sites) for monetary achieve,” safety researcher Yoav Zemah stated. “This assault used a malicious native Web Data Providers (IIS) module referred to as BadIIS.”
BadIIS is designed to intercept and modify incoming HTTP net site visitors with the top purpose of serving malicious content material to website guests utilizing reliable compromised servers. In different phrases, the concept is to govern search engine outcomes to direct site visitors to a vacation spot of their selecting by injecting key phrases and phrases into reliable web sites carrying a very good area status.
The IIS module is provided to flag guests originating from search engine crawlers by inspecting the Consumer-Agent header within the HTTP request, permitting it to contact an exterior server to fetch the poisoned content material to change the website positioning and trigger the search engine to index the sufferer website as a related consequence for the phrases discovered within the command-and-control (C2) server response.
As soon as the websites have been poisoned on this method, all it takes to finish the scheme is ensnaring victims who seek for these phrases in a search engine and find yourself clicking on the legitimate-but-compromised website, finally redirecting them to a rip-off website as a substitute.
In no less than one incident investigated by Unit 42, the attackers are stated to have leveraged their entry to a search engine crawler to pivot to different techniques, create new native consumer accounts, and drop net shells for establishing persistent distant entry, exfiltrating supply code, and importing BadIIS implants.
“The mechanism first builds a lure after which springs the lure,” Unit 42 stated. “The lure is constructed by attackers feeding manipulated content material to go looking engine crawlers. This makes the compromised web site rank for added phrases to which it could in any other case don’t have any connection. The compromised net server then acts as a reverse proxy — an middleman server getting content material from different servers and presenting it as its personal.”
Among the different instruments deployed by the menace actors of their assaults embrace three completely different variants of BadIIS modules –
A light-weight ASP.NET web page handler that achieves the identical purpose of website positioning poisoning by proxying malicious content material from a distant C2 server
A managed .NET IIS module that may examine and modify each request that passes by the appliance to inject spam hyperlinks and key phrases from a special C2 server, and
An all-in-one PHP script that mixes consumer redirection and dynamic website positioning poisoning
“The menace actor tailor-made all of the implants to the purpose of manipulating search engine outcomes and controlling the stream of site visitors,” Unit 42 stated. “We assess with excessive confidence {that a} Chinese language-speaking actor is working this exercise, based mostly on direct linguistic proof, in addition to infrastructure and structure hyperlinks between this actor and the Group 9 cluster.”
The disclosure comes weeks after ESET detailed a beforehand undocumented menace cluster dubbed GhostRedirector that has managed to compromise no less than 65 Home windows servers primarily situated in Brazil, Thailand, and Vietnam with a malicious IIS module codenamed Gamshen to facilitate website positioning fraud.
