Cybersecurity researchers have identified a Chinese-speaking cybercrime group known as UAT-8099 that conducts search engine optimization (SEO) fraud and steals high-value credentials, configuration files and certificate data, according to analysts who first discovered the cluster in April 2025, Cisco Talos researcher Joey Chen said.
Most of the reported infections involve Microsoft Internet Information Services (IIS) servers in India, Thailand, Vietnam, Canada and Brazil, and the affected hosts include universities, technology companies and telecommunications providers. The researchers said the group’s operations are aimed primarily at mobile users on Android and Apple iPhone devices.
According to the analysis, UAT-8099 gains initial access by exploiting vulnerabilities or insecure file-upload settings on IIS servers, uploads web shells to conduct reconnaissance, and escalates privileges by enabling the guest account and moving to administrator access. The group then enables Remote Desktop Protocol (RDP) for ongoing access and deploys Cobalt Strike as its preferred post-exploitation backdoor while taking steps to block other attackers from using the same entry point.
For persistence and remote control the actors combine RDP with VPN and proxy tools such as SoftEther VPN, EasyTier and FRP, and culminate operations by installing variants of the BadIIS malware. The researchers said the BadIIS variant observed in this campaign has been modified to evade detection and that its SEO manipulation routines only activate when requests present a Google User-Agent.
The report says the intruders search compromised hosts with a graphical file-indexing tool called Everything to locate valuable data, which is then packaged for resale or further exploitation. BadIIS can operate in proxy, injector and SEO-fraud modes, and the researchers noted it is one of several tools used by Chinese-speaking clusters in similar campaigns. It is not currently clear how many servers UAT-8099 has compromised.