Summary:
UAT-8099, a China-affiliated threat actor, is actively compromising poorly secured Microsoft IIS servers across Asia to deploy BadIIS malware for large-scale SEO manipulation and persistent server abuse, with observed concentration in Thailand and Vietnam. Active from late 2025 through early 2026, the campaign leverages web shells, PowerShell loaders, and legitimate red-team tooling to evade detection, create concealed local user accounts, and maintain long-term access via VPN-based remote connectivity. BadIIS payloads selectively target search engine crawlers and region-specific users to manipulate search rankings while minimizing exposure to administrators and security controls. This activity reflects a maturing tradecraft focused on stealth, geographic targeting, and operational resilience, posing both security and reputational risks to affected organizations.
Technical Description:
The UAT-8099 intrusion chain begins with the exploitation of vulnerable or misconfigured IIS servers, most commonly through weak server-side file-upload controls that allow arbitrary file execution. Following initial compromise, web shells are deployed to establish command execution, after which PowerShell-based loaders are used to stage additional tooling. Persistence is achieved through the creation of concealed local user accounts (for example, admin$ or mysql$), host reconnaissance, and the deployment of VPN utilities such as SoftEther and EasyTier, combined with GotoHTTP for remote command execution initiated via VBScript.
Defense evasion techniques include using tools such as Sharp4RemoveLog to delete Windows event logs, CnCrypt Protect to obscure malicious artifacts, and OpenArk64 to disable or terminate security processes. BadIIS malware variants are then installed to selectively hook dynamic IIS content, identify search engine crawlers or region-specific language indicators, and inject malicious redirects or JavaScript payloads. This selective manipulation enables sustained SEO poisoning while reducing error generation, logging artifacts, and the likelihood of operational detection.
Delivery and Infection Chain:
UAT-8099 primarily gains initial access by exploiting unpatched IIS vulnerabilities or abusing insecure file upload mechanisms that allow arbitrary script execution. Once access is obtained, web shells are deployed to establish a foothold and enable interactive command execution. PowerShell is then used to download and execute secondary payloads, transitioning the compromise from opportunistic access to a controlled and persistent intrusion within the IIS environment. The infection chain was identified as follows:
- Initial access is achieved by exploiting unpatched IIS vulnerabilities or insecure file upload mechanisms to deploy a web shell.
- The threat actor performs system discovery and executes PowerShell commands to download and stage additional tools and payloads.
- Persistence is established through the creation of hidden local user accounts (e.g., admin$, mysql$) and the deployment of VPN utilities to enable sustained remote access.
- Defense evasion techniques are applied, including clearing Windows event logs, concealing malicious artifacts, and terminating security-related processes.
- BadIIS malware variants are deployed to selectively inject redirects or JavaScript into IIS responses, targeting search engine crawlers and region-specific users for SEO poisoning.
Technical Capabilities:
UAT-8099 demonstrates extensive control over compromised IIS environments through the combined use of web shells, PowerShell loaders, and the GotoHTTP remote access framework, enabling reliable command execution and long-term server management. To evade detection, the actor employs a mix of legitimate administrative utilities and red-team tools to remove event logs, hide malicious files, and disable security software. Persistence is reinforced through the creation of covert local user accounts and the use of VPN software such as SoftEther and EasyTier, allowing continued access even if primary web shells are discovered and removed.
BadIIS malware deployed by UAT-8099 exhibits advanced traffic inspection and response manipulation capabilities. The malware selectively hooks dynamic IIS pages and directory indexes, identifies search engine crawlers through request analysis, and issues conditional redirects to SEO fraud infrastructure. Region-specific variants further inspect HTTP headers, such as Accept-Language, to inject malicious JavaScript or tailored content for targeted users, while deliberately avoiding static resources and incompatible file types to minimize errors, reduce logging, and maintain operational stealth.
Attribution and Evolution:
Based on operational characteristics, infrastructure patterns, and tooling overlap, UAT-8099 is assessed to be a China-affiliated threat actor. Activity has been observed since at least April 2025 and shows strong similarities to the WEBJACK BadIIS campaign previously documented by WithSecure. The actor’s tradecraft has evolved from broad, opportunistic SEO fraud toward more selective, region-focused operations, incorporating increased use of legitimate red-team tools and adaptive persistence mechanisms in response to defensive detection.
Active Campaign and Geographic Spread:
The active campaign, observed from late 2025 through early 2026, targets IIS servers across Asia, with primary focus on Thailand and Vietnam. Additional activity has been detected in India, Pakistan, and Japan. Customized BadIIS variants tailored to regional languages and user behavior indicate deliberate victim selection rather than indiscriminate scanning. While the full scope of the campaign remains undetermined, observed infrastructure and tooling suggest coordinated and persistent operations.
Conclusion:
UAT-8099 represents a maturing threat actor specializing in the exploitation of IIS infrastructure for long-term, low-visibility operations. The combination of selective content manipulation, adaptive persistence, and geographic targeting underscores the need for improved IIS hardening, vigilant account monitoring, and behavioral detection focused on web-server abuse rather than traditional endpoint indicators.
Impact:
Compromised IIS servers are leveraged to conduct stealthy SEO poisoning, redirecting search engine crawlers and regional users to fraudulent or malicious content. This activity can damage website reputation, lead to search engine blacklisting, undermine site integrity, and expose visitors to additional malware. Persistent unauthorized access to production web servers further increases the risk of data exposure, lateral movement, and follow-on attacks beyond the initial SEO fraud objective.
IOC and Context Details:
| Topics |
Details |
| Tactic Name |
Initial Access, Persistence, Defense Evasion, Command and Control, Impact |
| Technique Name |
Exploitation of Public-Facing Applications, Web Shell Deployment,
Valid Account Abuse, Indicator Removal on Host,
Application-Layer Communication
|
| Sub-Technique Name |
IIS Server Software Exploitation, Web Shell Execution,
Local Account Creation, Windows Event Log Clearing,
Web-Based Command and Control
|
| Attack Type |
Malware |
| Targeted Applications |
Microsoft Internet Information Services (IIS), Windows Server Environments |
| Region Impacted |
Thailand, Vietnam, India, Pakistan, Japan |
| Industry Impacted |
Web Hosting Providers, Enterprise Web Services,
E-commerce Platforms, Government and Public-Facing Websites
|
| (IOCs) |
SHA-256 Hashes:
1ab98783a02ad9f127e776c435ef4e24a18ab93c4b4ee5ede722817d4b20771a
1ece4d8603f5e28a7b0f6a8c83963a57cf23e5d2fadfc138419c3a051a75c93a
2cc87bd2ae25a5119cb950618850eddeb578954fa780b125c1f51d234fb405e3
4bc189af91779582a1d29cfe187aa233e7ba50d223261fb9fbe31df5b06dff96
6be5c8882bc02cf4e86d2ab9d20aa3446b71dd12c73f9c6bf0faf9412d7d23ba
9a2fd34e22c5f3d3d5fb96e3cd514dad7b03ed7bf53a87e7d8d9b73987d02ece
11ea6aa2b31677f8a36627d4af709e70cff4a033b0975f63c19b28945e6226b7
29ffb1d28f98582e81e78e6b2d5502da50c8ebdee0d40005a86b0dadece2923b
56be91643dd8b86f347cc8d743c568f2d0169781ba999a2f708e503b59ecff76
70d6bc89451e36889c045f30de22bc02e032788c8938baa0d5802e8f747c3e79
91e1f4fc92f104ec8b29bb56df87f8e7d8b518c63997e2ea162d3f1cac3fcac1
416ef6da8a27a99cbce6517d31857c8b8b55f02e9c8118510dc33814fb6f57be
660ccb6dcfad97bfaddc667c61b1904e99a06eab981d44119092624d42912d68
9458a75c1e24add9a48e0425e514a5f0cb46a826bff30ea7ea34e69099345f29
265336511db98a4c40476455e2ae93aaf926abecd8f9b9d741f8d253abb80357
a781581baf6e1e335f22c9ffbb2656a2d9c8e51f463e3a48068210425df1c205
ab03a7caed279fc6411ec19386faff3b65be34c91c3f0550eaef84a663720d0d
bcc393c1686a0f5d493041e98dcafe0098d952d5e93eb4d2ebdb63c0efd2de33
c7a22f5c55ac1373a5964a6598da2a9afd8a61b9d729b9bf52a93c967a7f0eda
cdf454173bac13266e0f7db5de386439f197e2c480e1cc303dd7e806484645da
e84a16c8e25a4e40926cbb4cc210a09830298b6f99d532035f5136d05ffc008c
e448557d26cf2917efded8e30c67db8094ce1f6db78801742988ea21f3429d7c
5d320b60d2f40c200e81eaeb67a86a04782bff84582c73e726255dba2dcb821e
99f2c4773560eb515cfcb0ad45cf8e47c46580ab19494463160f885e048ce830
565502d2454e4b65d3bd810fccf4b429264562fefa5cfff24c905b76b3b860a6
a34ea8fb565ac6f57eefc987c61159c1e6f1af6a8717ffb42f4b745db3bf9e31
187e1417fd9d4f4a44e4f7b7172aef056e9d0ab5d7a7addf61c2cfa893f74fd1
6b60b6df8a1a95f51ffe57255c05d26eb9e113857efac3b29d6ef080b8d414f3
672ffdf1e9d4848015d29a68111266ef55fc6702dfe7b2053ce677882648dd5d
ebeef831c52b7e930a6456caedf7849814b8d4def2bc0e70a0e7a357621ef6bc
230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9
48ec6530470b295db455bf2c72dc4fbd18672725f45821304f966d436b428865
33d3ccf82279d94a8e8e772a0c4963d65a1f3576dbd6ed7b4ab8a0ee4869f97f
d8c0ef6dbf7d4572f92d3a492f32061ab8f3dd46beb9ff5a0bf9bf550935458c
Malicious URLs:
https://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834[.]tcb[.]qcloud[.]la/test/zcgo/go[.]exe
https://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834[.]tcb[.]qcloud[.]la/test/zcgo/zcgo1[.]vbs
http://go1[.]kmm5tn[.]ceye[.]io
http://404[.]imxzq[.]com/tdks[.]php?domain=%s&path=%s
http://tdk[.]hunanduodao[.]com/tdk[.]php?domain=%s&path=%s
https://404[.]imxzq[.]com/tdks[.]php?domain=%s&path=%s
https://404[.]jmfwy[.]com/tdks[.]php?domain=%s&path=%s
https://799[.]cors5[.]vip/1018[.]php?domain=%s&path=%s
https://fql[.]jmfwy[.]com/tdks[.]php?domain=%s&path=%s
https://tdk[.]jmfwy[.]com/tdk[.]php?domain=%s&path=%s
https://th[.]gtwql[.]com/1018[.]php?domain=%s&path=%s
https://thov[.]hunanduodao[.]com/tdks[.]php?domain=%s&path=%s
https://bxphp[.]westooo[.]com/?xhost=%s&url=%s&ua=Googlespider&f=bd
https://bxphp[.]westooo[.]com/58z[.]js
https://bxphp[.]westooo[.]com/u[.]php
tdk[.]hunanduodao[.]com/jump/fql[.]js
tdk[.]hunanduodao[.]com/jump/ov[.]js
tdkfsdfa[.]cnmseo[.]com/jump/fql[.]js
tdkfsdfa[.]cnmseo[.]com/jump/ll[.]js
tz[.]jmfwy[.]com/jump/json[.]js
tz[.]jmfwy[.]com/jump/mage[.]js
tz[.]jmfwy[.]com/jump/tiger[.]js
tz[.]ohtcm[.]com/jump/fql[.]js
tz[.]ohtcm[.]com/jump/json[.]js
tz[.]ohtcm[.]com/jump/ll[.]js
tz[.]ohtcm[.]com/jump/ov[.]js
tz[.]suucx[.]com/jump/ov[.]js
google[.]sneaws[.]com
w3c[.]sneaws[.]com
|
| CVE |
NA |
Recommended Actions:
- Ensure all IIS servers and underlying Windows systems are fully patched and regularly updated to remediate known vulnerabilities.
- Audit and harden file upload functionality to prevent arbitrary file execution and unauthorized script deployment.
- Monitor for the creation of hidden or anomalous local user accounts, particularly accounts ending with special characters such as “$”.
- Implement logging and alerting for PowerShell and VBScript execution, as well as suspicious process activity on web servers.
- Restrict and monitor outbound network connections from IIS servers, especially VPN-related traffic and unknown external endpoints.
- Deploy web application firewalls and detection rules tailored to identify web shell activity and IIS response manipulation.
- Regularly review IIS directories and configuration settings for unauthorized files, scripts, or changes to response handling behavior.
- Establish incident response procedures for compromised web servers, including credential rotation, server reimaging, and forensic analysis.
Reference:
https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/
