China-Linked UAT-8099 Deploys BadIIS Malware for SEO Fraud Across Asia

Cisco Talos has identified a widespread campaign by Chinese-speaking threat actor UAT-8099 targeting vulnerable IIS servers across Asia with BadIIS malware. The campaign hijacks legitimate organizational websites to conduct SEO fraud for online gambling sites while simultaneously stealing visitor credentials.

Campaign overview

Attribute	Details
Threat actor	UAT-8099
Attribution	Chinese-speaking cybercrime group
Malware family	BadIIS
Target	IIS web servers
Primary regions	Thailand, Vietnam, India, Pakistan, Japan
Campaign period	Late 2025 - Early 2026
Discovery	Cisco Talos

Geographic targeting

Affected regions

Region	Targeting intensity
Thailand	High concentration
Vietnam	High concentration
India	Moderate
Pakistan	Moderate
Japan	Moderate
Canada	Some activity
Brazil	Some activity

Victim organizations

Sector	Examples
Universities	Academic institutions
Technology companies	Tech firms
Telecommunications	ISPs and telcos
Government	Government agencies

BadIIS malware

What is BadIIS?

Attribute	Details
First observed	2021
Type	Native IIS module
Integration	Web server request pipeline
Privileges	Inherits web server permissions
Purpose	SEO fraud, credential theft, redirects

BadIIS is an umbrella term for malicious native IIS modules that intercept website traffic. These modules integrate directly into the web server’s request pipeline, allowing comprehensive traffic manipulation.

Regional variants

Variant	Target
IISHijack	Vietnam specifically
asdSearchEngine	Thailand / Thai language users

The variants demonstrate UAT-8099’s regional customization, adapting malware behavior based on victim location and language preferences.

Operational modes

Mode	Function
Proxy mode	Route traffic through attacker infrastructure
Injector mode	Insert content into legitimate pages
SEO fraud mode	Serve SEO content to search crawlers

Attack methodology

Initial compromise

Stage	Action
1	Scan for vulnerable IIS servers
2	Exploit security misconfigurations
3	Exploit file upload vulnerabilities
4	Upload web shells

Post-exploitation

Stage	Action
5	Conduct reconnaissance
6	Escalate privileges
7	Enable RDP access
8	Install persistence mechanisms
9	Deploy BadIIS malware

Tools used

Tool	Purpose
Web shells	Initial access
Cobalt Strike	Backdoor
SoftEther VPN	Persistence/tunneling
Fast Reverse Proxy (FRP)	Traffic routing
Custom automation scripts	Defense evasion

SEO fraud operation

Dual-behavior system

Visitor type	BadIIS behavior
Search engine crawler	Serve gambling SEO keywords
Human visitor (legitimate)	Pass through unchanged
Human visitor (targeted)	Redirect or inject content

How SEO poisoning works

Step	Action
1	Crawler visits compromised legitimate site
2	BadIIS detects crawler user-agent
3	Returns page stuffed with gambling keywords
4	Search engine indexes gambling content
5	Gambling sites rank higher using victim’s reputation

By injecting SEO content only for search crawlers, attackers exploit the legitimate site’s domain authority without alerting human visitors or site administrators.

Credential theft

Injection capabilities

Capability	Impact
Form injection	Capture login credentials
JavaScript injection	Keylogging, data theft
Redirect injection	Send users to phishing sites

Detection indicators

Network indicators

Indicator	Description
Unusual IIS module loading	Native module installations
Crawler-specific responses	Different content for bots
Gambling keyword traffic	SEO content in responses
C2 communications	Cobalt Strike beacons

Host indicators

Indicator	Description
New IIS native modules	Unauthorized DLLs in IIS
Web shells	Unexpected ASPX/PHP files
VPN software	SoftEther, FRP installations
Modified IIS configuration	applicationHost.config changes

Recommendations

For IIS administrators

Priority	Action
Critical	Audit installed IIS modules
Critical	Review file upload functionality
High	Implement Web Application Firewall
High	Monitor for configuration changes
Medium	Restrict module installation permissions

For security teams

Priority	Action
High	Hunt for BadIIS indicators
High	Monitor crawler vs. human response differences
Medium	Implement IIS integrity monitoring
Medium	Deploy behavior-based detection

For organizations

Priority	Action
High	Patch IIS servers promptly
High	Restrict administrative access
Medium	Implement network segmentation
Medium	Monitor outbound connections

Context

UAT-8099’s BadIIS campaign demonstrates how threat actors monetize compromised web servers beyond traditional data theft. By exploiting the trust search engines place in legitimate organizational domains, attackers can boost gambling and other illicit sites’ search rankings—a service with real black-market value.

The dual-behavior approach makes detection challenging: administrators and regular visitors see normal website operation, while search crawlers receive entirely different content. Only by specifically testing crawler responses can organizations detect the compromise.

The regional focus on Southeast Asia, particularly Thailand and Vietnam, with customized malware variants suggests either regional criminal partnerships or specific market targeting for the gambling SEO services.

For IIS administrators, the key defensive measure is monitoring and restricting native module installations. BadIIS requires loading a malicious DLL into the IIS pipeline—an action that should trigger alerts in properly monitored environments.

The combination of Cobalt Strike for persistent access and VPN tools for tunneling indicates a sophisticated operation capable of long-term presence on compromised servers. Organizations discovering BadIIS indicators should assume broader compromise and conduct thorough incident response.