Cisco Talos Exposes UAT-8099: Chinese Group Uses BadIIS Malware on Compromised Servers for SEO Fraud and Credential Theft

A hacker collective known as UAT-8099 is presently conducting an active campaign to promote malicious content in search results by compromising Microsoft IIS servers across multiple countries. Cisco Talos researchers found that this Mandarin-language group combines search-engine spam with the exfiltration of sensitive artifacts—ranging from configuration files to SSL certificates. Victims include universities, telecom operators and technology organizations in India, Thailand, Vietnam, Canada and Brazil.

To accomplish their aims, the attackers target reputable yet vulnerable IIS hosts, deploying web shells and a bespoke malware component dubbed BadIIS that conceals their activity and alters page content. They escalate privileges with publicly available tools, install reverse proxies such as FRP, deploy SoftEther VPN and use utilities like EasyTier. A guest account is elevated to administrative rights, remote access via RDP is established, and a hidden persistent administrator user is created.

Once they control the host, UAT-8099 actors comb through logs, configuration files, stored credentials and certificates—often using tools such as Everything—archive harvested data with WinRAR and prepare it for exfiltration. To harden their foothold, they also install D_Safe_Manage, a legitimate utility repurposed to thwart intervention by rival attackers.

Particularly notable is BadIIS’s malicious logic. It enables stealthy redirects and script injection that vary behaviour based on HTTP headers such as User-Agent and Referer. Requests identified as originating from Google’s crawlers and containing keywords like “casino” or “bonus” are proxied differently; real users arriving from search results are served injected JavaScript that downloads a file from a command-and-control server and redirects the user to a spoofed site—typically hosting illegal content or gambling advertisements.

Talos observed two clusters of BadIIS samples: one with extremely low detectability, the other containing debug strings in simplified Chinese. Both families abuse the WriteEntityChunks API to weave malicious content into server responses, complicating network-level detection and evading traffic-analysis systems. Simultaneously, the malware implements a full SEO-manipulation workflow: it publishes dozens of backlink pages with crafted HTML that mimic authoritative sites, thereby elevating compromised domains in search rankings.

For long-term persistence the group leverages DLL sideloading and stages Cobalt Strike under the guise of legitimate Windows components such as inetinfo.exe. The initial loader is buried in wmicodegen.dll and subsequently decrypts multiple payload layers, including a custom loader and a beacon that attempts to masquerade its traffic as CDN or Exchange communications.

Security analysts conclude that this hybrid campaign—melding malicious SEO, web compromise and credential theft—reflects a high degree of operational sophistication and a well-engineered infrastructure. In every intrusion the attackers tune their tooling to regional language nuances, scanner signatures and defensive controls to minimize detection and prolong undisturbed access.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy