Cybersecurity researchers have found a brand new marketing campaign attributed to a China-linked risk actor often called UAT-8099 that befell between late 2025 and early 2026.
The exercise, found by Cisco Talos, has focused weak Web Info Providers (IIS) servers positioned throughout Asia, however with a particular concentrate on targets in Thailand and Vietnam. The dimensions of the marketing campaign is at the moment unknown.
“UAT-8099 makes use of internet shells and PowerShell to execute scripts and deploy the GotoHTTP device, granting the risk actor distant entry to weak IIS servers,” safety researcher Joey Chen mentioned in a Thursday breakdown of the marketing campaign.
UAT-8099 was first documented by the cybersecurity firm in October 2025, detailing the risk actor’s exploitation of IIS servers in India, Thailand, Vietnam, Canada, and Brazil to facilitate SEO (search engine optimization) fraud. The assaults contain infecting the servers with a recognized malware known as BadIIS.
The hacking group is assessed to be of Chinese language origin, with the assaults relationship again to April 2025. The risk cluster additionally shares similarities with one other BadIIS marketing campaign codenamed WEBJACK by Finnish cybersecurity vendor WithSecure in November 2025, primarily based on overlaps in instruments, command-and-control (C2) infrastructure, and victimology footprint.
The newest marketing campaign is targeted on compromising IIS servers positioned in India, Pakistan, Thailand, Vietnam, and Japan, though Cisco mentioned it noticed a “distinct focus of assaults” in Thailand and Vietnam.
“Whereas the risk actor continues to depend on internet shells, SoftEther VPN, and EasyTier to regulate compromised IIS servers, their operational technique has advanced considerably,” Talos defined. “First, this newest marketing campaign marks a shift of their black hat search engine optimization techniques towards a extra particular regional focus. Second, the actor more and more leverages purple crew utilities and legit instruments to evade detection and keep long-term persistence.”
The assault chain begins with UAT-8099 gaining preliminary entry to an IIS server, usually by both exploiting a safety vulnerability or weak settings within the internet server’s file add characteristic. That is adopted by the risk actor initiating a collection of steps to deploy malicious payloads –
Execute discovery and reconnaissance instructions to assemble system info
Deploy VPN instruments and set up persistence by making a hidden person account named “admin$”
Drop new instruments like Sharp4RemoveLog (take away Home windows occasion logs), CnCrypt Defend (disguise malicious recordsdata), OpenArk64 (open-source anti-rootkit to terminate safety product processes), and GotoHTTP (distant management of server)
Deploy BadIIS malware utilizing the newly created account
With safety merchandise taking steps to flag the “admin$” account, the risk actor has added a brand new examine to confirm if the identify is blocked, and in that case, proceeds to create a brand new person account named “mysql$” to keep up entry and run the BadIIS search engine optimization fraud service with none interruption. As well as, UAT-8099 has been noticed creating extra hidden accounts to make sure persistence.
One other notable shift revolves round the usage of GotoHTTP to remotely management the contaminated server. The device is launched via a Visible Primary Script that’s downloaded by a PowerShell command that is run following the deployment of an internet shell.
The BadIIS malware deployed within the assaults is 2 new variants personalized to focus on particular areas: Whereas BadIIS IISHijack singles out victims in Vietnam, BadIIS asdSearchEngine is primarily geared toward targets in Thailand or customers with Thai language preferences.
The top purpose of the malware nonetheless largely stays the identical. It scans incoming requests to IIS servers to examine if the customer is a search engine crawler. If that is the case, the crawler is redirected to an search engine optimization fraud web site. Nevertheless, if the request is from an everyday person and the Settle for-Language header within the request signifies Thai, it injects HTML containing a malicious JavaScript redirect into the response.
Cisco Talos mentioned it recognized three distinct variants throughout the BadIIS asdSearchEngine cluster –
Unique a number of extensions variant, which checks the file path within the request and ignores it if it accommodates an extension on its exclusion record that may both be useful resource intensive or hamper the web site’s look
Load HTML templates variant, which accommodates an HTML template era system to dynamically create internet content material by loading templates from disk or utilizing embedded fallbacks and changing placeholders with random information, dates, and URL-derived content material
Dynamic web page extension/listing index variant, which checks if a requested path corresponds to a dynamic web page extension or a listing index
“We assess that the risk actor, UAT-8099, carried out this characteristic to prioritize search engine optimization content material concentrating on whereas sustaining stealth,” Talos mentioned of the third variant.
“Since search engine optimization poisoning depends on injecting JavaScript hyperlinks into pages that search engines like google crawl, the malware focuses on dynamic pages (e.g., default.aspx, index.php) the place these injections are best. Moreover, by limiting hooks to different particular file sorts, the malware avoids processing incompatible static recordsdata, thereby stopping the era of suspicious server error logs.”
There are additionally indicators that the risk actor is actively refining its Linux model of BadIIS. An ELF binary artifact uploaded to VirusTotal in early October 2025 consists of proxy, injector, and search engine optimization fraud modes as earlier than, whereas limiting the focused search engines like google to solely crawlers from Google, Microsoft Bing, and Yahoo!
