Ddos 
A sophisticated cyber campaign targeting Internet Information Services (IIS) servers across Asia has evolved with new, highly customized malware variants. Cisco Talos has identified a fresh wave of attacks by the threat actor UAT-8099, active from late 2025 through early 2026, which is specifically focusing on victims in Thailand, Vietnam, and surrounding regions.
Unlike broad-spectrum attacks that spray the internet with generic malware, UAT-8099 is tailoring its primary weapon, BadIIS, to fit the neighborhood. The malware now comes with “region-locking” capabilities built directly into its code.
According to the report, “New variants of BadIIS now hardcode the target region directly into the malware, offering customized features for each specific variant”.
This customization allows the attackers to blend in better with legitimate traffic. The malware includes “exclusive file extensions, corresponding dynamic page extensions, directory indexing configurations, and the ability to load HTML templates from local files”. This level of detail suggests the attackers have a deep understanding of the environments they are compromising.
Perhaps the most surprising development is the group’s expansion beyond Windows. While IIS is a Windows-centric service, Talos researchers discovered that UAT-8099 has adapted its tools for Linux environments.
“A Linux Executable and Linkable Format (ELF) variant of BadIIS was uploaded to VirusTotal on Oct. 1, 2025,” the report notes.
This Linux variant isn’t just a port; it’s a fully featured tool. It includes “proxy mode, injector mode, and search engine optimization (SEO) fraud mode,” mirroring the capabilities found in previous Windows versions. This cross-platform capability significantly widens the group’s potential attack surface.
The investigation also solidified links between UAT-8099 and another known threat cluster. Talos analysts found distinct fingerprints connecting this activity to the WEBJACK campaign.
“Analysis confirms significant operational overlaps between this activity and the WEBJACK campaign,” the researchers stated. “This includes critical indicators of compromise including malware hashes, command and control (C2), and victimology”.
Once inside a vulnerable server, the group uses a mix of custom and commercial tools to maintain control. The report details how UAT-8099 “uses web shells and PowerShell to execute scripts and deploy the GotoHTTP tool, granting the threat actor remote access to vulnerable IIS servers”.
With victims identified across “India, Pakistan, Thailand, Vietnam, and Japan,” organizations in the region are urged to audit their IIS configurations and monitor for the specific BadIIS indicators outlined by Cisco Talos.
Related Posts:
- UAT-8099: Chinese Group Uses BadIIS Malware on Compromised Servers for SEO Fraud and Credential Theft
- BadIIS Malware Hijacks Asian Websites for SEO Fraud
- Operation Rewrite: How a Malicious IIS Module Is Hijacking Websites
- Sophisticated IIS Malware Targets South Korean Web Servers
- BadIIS Malware : 35+ IIS Servers Compromised in DragonRank Campaign
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
