UAT-8099: Chinese Group Uses BadIIS Malware on Compromised Servers for SEO Fraud and Credential Theft
Ddos 
Cisco Talos researchers have detailed the activities of UAT-8099, a Chinese-speaking cybercrime group leveraging compromised Microsoft IIS servers to conduct search engine optimization (SEO) fraud and steal high-value credentials, configuration files, and certificate data.
According to Talos, “UAT-8099 manipulates search rankings by focusing on reputable, high-value IIS servers in targeted regions.” The group’s victims span universities, tech firms, and telecommunications providers in countries including India, Thailand, Vietnam, Canada, and Brazil.
UAT-8099 exploits weak IIS upload restrictions to plant web shells, establishing initial access. Cisco Talos explains: “The target web server allowed users to upload files to the server, but did not restrict the file type, which allowed UAT-8099 to upload the web shell. This established initial access and gave them control over the compromised server.”
From there, the attackers enable the guest account, elevate its privileges to administrator, and activate RDP for long-term access. They also create hidden administrator accounts like “admin$” for persistence. Talos notes that “they combine RDP access with SoftEther VPN, EasyTier … and FRP reverse proxy tool” to maintain remote connectivity.
Beyond SEO fraud, UAT-8099 also engages in direct theft of sensitive information. Talos highlights: “Talos did not only observe UAT-8099 conducting SEO fraud, but also stealing high-value credentials, configuration files and certificate data.”
Attackers use tools such as Procdump to extract credentials from memory, and then consolidate logs, certificates, and configuration files into hidden directories before exfiltrating them with WinRAR archives.
To manipulate search engine results, UAT-8099 installs customized BadIIS malware directly on compromised servers. Cisco observed two distinct clusters: one with very low antivirus detection rates, and another containing simplified Chinese debug strings.
In one sample, Talos notes: “The OnSendResponse handler … delivers specific content from C2 server to requests where the ‘User-Agent’ is Googlebot, manipulating search rankings to increase the visibility of the malicious content.”
This allows attackers to poison search results, redirect users to gambling and fraudulent sites, and inject malicious JavaScript into responses.
The group also deploys Cobalt Strike beacons for deeper persistence and post-exploitation. Using DLL sideloading with inetinfo.exe, UAT-8099 executes a multi-stage loader chain. Talos explains: “We also identify this third stage payload as the User-Defined Reflective Loader for the Cobalt Strike beacon … The erased original PE header and heavy obfuscation in each stage are consistent with the blog description.”
This provides the attackers with command-and-control flexibility while blending in with normal network traffic through CDN-like URLs and Exchange-style ports.
The UAT-8099 campaign demonstrates how cybercriminals are blending SEO fraud with credential theft and persistent malware to maximize financial gain. By compromising high-value IIS servers, the group not only manipulates search results but also harvests sensitive data from reputable organizations.
As Cisco Talos concludes, “UAT-8099 maintains persistence and alters SEO rankings using web shells, open-source hacking tools, Cobalt Strike, and various BadIIS malware; their automation scripts are customized to evade defenses and hide activity.”
Organizations running IIS servers are strongly urged to harden file upload settings, monitor for web shell activity, and apply layered defenses against both SEO poisoning and credential theft.
Related Posts:
- BadIIS Malware Hijacks Asian Websites for SEO Fraud
- Operation Rewrite: How a Malicious IIS Module Is Hijacking Websites
- Sophisticated IIS Malware Targets South Korean Web Servers
- Excel File Unleashes Sophisticated Cobalt Strike Cyberattack
- BadIIS Malware : 35+ IIS Servers Compromised in DragonRank Campaign
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
