Security researchers described Operation Rewrite, a sophisticated SEO-poisoning campaign targeting East and Southeast Asia, with Vietnam a primary focus. The operation uses a malware family dubbed BadIIS on compromised Internet Information Services (IIS) servers to manipulate search results through poisoned content injected into web pages.
Unit 42 researchers, including Yoav Zemah, said the campaign works by leveraging a native IIS module called BadIIS that inspects the User-Agent header to identify traffic from search engine crawlers and then contact an external command-and-control server to fetch the poisoned content. The module then acts as a reverse proxy to present the manipulated content as if it originated from the compromised site’s legitimate domain. IIS documentation is cited in the campaign’s implementation.
In practice, attackers rely on the compromised site’s good domain reputation to lure visitors who search for terms seeded by the C2 response, ultimately redirecting them to scam pages. Analysts said the effort should be viewed as a long-range attack on trust in search results rather than a traditional malware drop alone.
Unit 42 said that at least one incident involved the attackers leveraging access to a search crawler to pivot into other systems, create new local user accounts, and drop web shells to establish persistence, exfiltrate source code, and host BadIIS implants on the network.
Three variants of BadIIS have been observed:
- A lightweight ASP.NET page handler that proxies malicious content from a remote C2 server, enabling SEO poisoning.
- A managed .NET IIS module that inspects and modifies requests to inject spam links and keywords from a different C2 server.
- An all-in-one PHP script that combines user redirection with dynamic SEO manipulation.
Security researchers emphasized the Chinese-speaking origin of the actors, based on linguistic evidence and infrastructure links to what has been described in related reporting as a Group 9 cluster. The campaign, named Operation Rewrite, is part of a broader wave of attacks exploiting IIS to manipulate search results.
Further background on related security developments was provided by external reporting and industry commentary, including references to security toolkits and related advisories available on sister outlets, such as resources highlighted by exec-guide-d and cis-security-suite.