A China-linked threat actor tracked as UAT-8099 ran a campaign against vulnerable Microsoft Internet Information Services servers across Asia between late 2025 and early 2026, with a distinct concentration of attacks in Thailand and Vietnam.
KEY FACTS
- Incident Compromise of IIS servers to deploy SEO fraud malware
- Timeframe Late 2025 to early 2026
- Tools Web shells, PowerShell, GotoHTTP and BadIIS variants
- Geography Targets across Asia with focus on Thailand and Vietnam
In a technical analysis by Cisco Talos, the report said UAT-8099 used web shells and PowerShell to execute scripts and deploy GotoHTTP to gain remote access to compromised IIS servers.
The report describes an attack chain that usually begins with exploitation of a server vulnerability or weak web file upload settings. After initial access the actor runs discovery commands then creates hidden accounts named “admin$” and sometimes “mysql$” to establish persistence.
Deployed tools include Sharp4RemoveLog to remove event logs, CnCrypt Protect to hide files, OpenArk64 to terminate security processes, and the GotoHTTP remote control tool. The actor then installs BadIIS malware under the created accounts to run SEO fraud services.
The report details two new BadIIS variants. BadIIS IISHijack targets victims in Vietnam. BadIIS asdSearchEngine targets servers in Thailand or users with Thai language preferences. The malware checks for search engine crawlers and injects malicious JavaScript or redirects when requests match targeted conditions.
WHY IT MATTERS
Compromised IIS servers can deliver persistent SEO fraud and harm website integrity and search results. The campaign shows the actor is using legitimate utilities and red team tools to evade detection and maintain long term access.