Operation Rewrite: How a Malicious IIS Module Is Hijacking Websites

Researchers at Unit 42 uncovered a large-scale search engine optimization (SEO) poisoning campaign, tracked as CL-UNK-1037 and dubbed Operation Rewrite. The operation leverages a malicious IIS module known as BadIIS to manipulate search engine results and redirect unsuspecting victims to scam websites.

According to the report, “we assess with high confidence that a Chinese-speaking threat actor operates this campaign. We call this ‘Operation Rewrite’ in reference to the English translation of one of the object names in the threat actor’s code.”

BadIIS malware integrates directly into IIS web servers, intercepting and modifying requests with full server privileges. First profiled in 2021, these modules can:

• Inject malicious JavaScript or iframes.
• Act as a reverse proxy for attacker-controlled content.
• Hijack 302 redirects to trick crawlers.
• Steal sensitive information.

The Unit 42 team emphasizes the privileged position of this malware: “Due to this privileged position within the web server, a single implant can perform a wide range of actions.”

Operation Rewrite unfolds in two phases:

Phase 1 – Poison the Lure

The attackers trick search engines into indexing poisoned content:

1. Search engine crawlers visit a compromised website.
2. BadIIS intercepts the request and detects the crawler through its User-Agent.
3. The module fetches keyword-stuffed HTML from its C2 server.
4. The poisoned content is served, boosting the site’s ranking for unrelated but popular queries.

Phase 2 – Spring the Trap

Once real users click the poisoned results, the trap activates:

1. BadIIS inspects the Referer header.
2. If the request comes from a search engine, the visitor is flagged as a victim.
3. The C2 server delivers malicious redirects.
4. Victims expecting legitimate content are funneled into scam or betting websites.

Unit 42 notes, “The victim, who expected to visit www.victim[.]com, is immediately sent to the attacker-controlled scam content.”

Analysis of BadIIS configurations shows a strong focus on Vietnam and Southeast Asia. Keyword lists include Cốc Cốc and Timkhap, both Vietnamese search engines. One poisoned payload ranked a compromised government entity’s website for the illegal streaming term “xôi lạc tv trực tiếp bóng đá hôm nay” (“xôi lạc tv live football today”).

This abuse of trusted government domains amplifies credibility while spreading scam content.

Unit 42 discovered three additional variants of BadIIS beyond the native IIS module:

• ASP.NET Page Handler – a lightweight script variant for quick deployment.
• Managed .NET IIS Module – capable of 404 error hijacking and dynamic keyword injection.
• All-in-One PHP Script – a flexible tool combining cloaking, sitemap poisoning, and content rewriting.

These variants highlight the adaptability of the threat actor, tailoring tools to different environments.

Multiple linguistic and infrastructure artifacts tie Operation Rewrite to Chinese-speaking operators.

The report points out, “the native module’s chongxiede object name is a Pinyin term… the PHP variant contained further linguistic evidence: numerous code comments written in simplified Chinese characters.”

Additionally, overlaps in infrastructure connect the operation to Group 9, while similarities in tooling align it with the DragonRank campaign.

Operation Rewrite underscores how nation-state-linked actors are weaponizing SEO poisoning and web server implants to manipulate internet traffic at scale. By hijacking legitimate websites and targeting regional search engines, the campaign blends stealth with reach, impacting unsuspecting users across Asia.

Related Posts:

• BadIIS Malware Hijacks Asian Websites for SEO Fraud
• Exploitation of URL Rewriting: A New Phishing Paradigm Threatens Cybersecurity
• BadIIS Malware : 35+ IIS Servers Compromised in DragonRank Campaign
• AI Notepad: Rewrite Your Text, Windows 11 Gets Smarter