Ddos 
Image: Elastic Security Labs
A massive SEO poisoning campaign is silently turning legitimate web servers into billboards for the digital underground. In a new report, Elastic Security Labs details an intrusion set that has compromised over 1,800 Windows servers worldwide, deploying the BADIIS malware to manipulate search engine results and redirect unsuspecting users to illicit gambling and cryptocurrency platforms.
The campaign, which overlaps with activity previously tracked as UAT-8099, highlights how attackers are moving beyond simple data theft to weaponize the reputation of trusted domains for profit.
The attack vector is specific and widespread: IIS web servers. By compromising these Windows-based servers, the attackers plant the BADIIS malware, which acts as a traffic cop for incoming visitors. If a search engine crawler visits, it sees legitimate content. If a human user clicks a link from a search result, they are whisked away to a shadowy network of scams.
“Elastic Security Labs observes large-scale SEO poisoning campaigns targeting IIS servers with BADIIS malware globally, impacting over 1,800 Windows servers,” the report states.
The ultimate goal of this complex infrastructure is pure monetization. By hijacking the search ranking of university, government, and corporate websites, the attackers get “free” high-quality traffic for their clients—shady gambling dens and crypto schemes that would otherwise be banned from advertising networks.
“Compromised servers are monetized through a web of infrastructure used to target users with gambling advertisements and other illicit websites,” Elastic researchers explain.
The victim list reads like a global atlas, with compromised servers identified in Australia, Bangladesh, Brazil, China, India, Japan, Korea, Lithuania, Nepal, and Vietnam.
Interestingly, the attackers are not just targeting the big cloud giants. While they have infiltrated major platforms like AWS, Microsoft Azure, Alibaba Cloud, and Tencent Cloud, the majority of their infrastructure hides in the darker corners of the internet.
“Notably, approximately 30% of compromised servers reside on major cloud platforms… The remaining 70% of victims are distributed across regional telecommunications providers,” the report notes.
This strategic dispersal makes the campaign harder to take down, as it relies on a decentralized web of smaller, regional ISPs rather than a single point of failure.
Elastic’s findings align with previous reports from Cisco Talos and Trend Micro, confirming that this group is expanding its operations.
“Our visibility into the campaign indicates a complex, geotargeted infrastructure designed to monetize compromised servers by redirecting users to a broad network of illicit websites,” the report concludes.
Related Posts:
- BadIIS Malware Hijacks Asian Websites for SEO Fraud
- Ghost Folders: “Directory Shadowing” Hack Hijacks WordPress SEO
- Operation Rewrite: How a Malicious IIS Module Is Hijacking Websites
- A British youth hacker, who hacked CIA chief’s e-mail was sentenced to two years in prison
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
