Malware-as-a-Service Exposed: Cisco Talos Unmasks Developer Behind Prolific “BadIIS” Web Server Toolkit
Ddos 
Workflow assessed for commodity BadIIS | Image: Cisco Talos
A sweeping forensic threat intelligence report has exposed the inner workings of a sophisticated, highly commercialized cybercriminal operation targeting web infrastructure.
Security researchers at Cisco Talos have uncovered a prominent variant of the notorious BadIIS server malware. Operating under a highly lucrative Malware-as-a-Service (MaaS) business model, the developers behind this toolkit have spent nearly half a decade equipping global cybercrime syndicates with the tools necessary to turn hijacked web servers into silent cash cows.
As Cisco Talos explains in the executive summary of its investigation:
“This variant is likely sold or shared among multiple Chinese-speaking cybercrime groups that operate under a malware-as-a-service (MaaS) model for continuous monetization.”
The breakthrough in tracking the operational history of this threat didn’t stem from volatile network indicators, but rather from a treasure trove of metadata accidentally left behind during software compilation: embedded Program Database (PDB) strings.
By analyzing these local file path artifacts, Talos successfully mapped out the developmental timeline of a single, prolific malware author operating under the digital moniker “lwxat”. The PDB tracks expose a remarkably disciplined, long-term software engineering lifecycle.
According to the report:
“Analysis of program database (PDB) file paths reveals a sustained, multi-year development effort by an author operating under the alias ‘lwxat’, spanning from at least September 2021 through January 2026, with evidence of rapid iterative updates, feature branching, and reactive evasion tactics…”
During this five-year development run, the author executed rapid, sprint-like development cycles—evidenced by folder structures logging progressive calendar dates. The author even engaged in specialized administrative troubleshooting, building a specific directory branch labeled “dll-no503”. This specific build was “likely represents a troubleshooting build designed to resolve an issue where the malware caused IIS to throw ‘503 Service Unavailable’ errors, which would otherwise alert server administrators to the infection”.
To scale their commercial operations, “lwxat” engineered a dedicated graphical builder application that automates the compilation of custom payload configurations for downstream buyers.
When a threat actor licenses the software, they use the builder tool to generate customized JavaScript redirectors, server configuration tables, and PHP backlink injections without needing to write a single line of raw code. The builder facilitates a diverse menu of illicit capabilities:
- Traffic Redirection: Forcibly hijacking legitimate consumer browser traffic and routing it directly to underground spam infrastructure, illegal gambling arenas, or adult content platforms.
- Reverse Proxying: Intentionally intercepting search engine crawlers. When a crawler arrives, the malware acts as a reverse proxy, silently pulling black-hat SEO spam data from the attacker’s backend and rendering it to the search engine to manipulate public rankings.
- Content Hijacking: Modifying target title, description, and keyword (TDK) metadata at a configurable percentage rate to silently piggyback off the victim site’s domain authority.
The modularity of the MaaS ecosystem means that customers can order highly customized, premium features directly from the author. Talos recovered specialized builds displaying folder structures translated as “compatible with Baidu browser + hijacking robots.txt” and “bypass Norton,” highlighting a highly reactive workflow designed to defeat active security vendor signatures.
The ultimate proof of this custom-order pipeline surfaced in a series of PDB strings tailored for a high-value client or buyer operating under the alias “x神” (xshen).
The report states:
“This suggests that the author created a dedicated development folder for a user or client named ‘xshen’ (x神), indicating that this particular BadIIS variant was a customized build tailored specifically for ‘xshen’s’ requirements that a full-site traffic hijacking with redirection logic based on the victim’s browser language settings.”
To establish persistence for these customized implants, the operation utilizes a suite of multi-stage service installers and module initialization droppers that bundle the malicious binaries inside standalone executables. These installers copy the payloads straight into native IIS resource trees—impersonating trusted core processes like svchost.exe or FaxService.
If an antivirus solution flags and removes the active hooking module, the persistent Windows service automatically extracts a fresh copy from a hidden backup directory (C:\Windows\Logs) upon the next server restart, ensuring durable, long-term survival.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
