Operation Rewrite: Chinese Threat Actors Hijack Websites in Massive Search Poisoning Campaign
The Unit 42 team at Palo Alto Networks has uncovered a large-scale search poisoning campaign dubbed Operation Rewrite, in which Chinese-speaking threat actors deployed malicious BadIIS components onto internet-facing servers and used compromised websites as reverse proxies to manipulate content and redirect traffic to fraudulent destinations.
The activity involved the installation of both native IIS modules and lightweight script-based variants, with infrastructure overlaps observed with the previously identified Group 9 cluster and similarities to the DragonRank service. BadIIS modules integrate directly into the IIS request-processing pipeline with platform-level privileges, enabling them to intercept inbound requests, alter HTML responses for search engine crawlers, and proxy malicious content back to end users.
In the first phase, attackers delivered “query-optimized” pages—fetched from their command servers—to search engine crawlers, ensuring compromised domains were indexed under desired keywords. In the second phase, real visitors arriving from search results were served either redirects or proxied fraudulent landing pages, leading users somewhere entirely different from what they expected.
Code analysis revealed a clear regional focus on South and Southeast Asia: configurations contained lists of targeted keywords, search engine names, and User-Agent/Referer markers linked to Vietnam. Within a DLL sample, researchers discovered an initialization function named RegisterModule, which created an object called chongxiede—a pinyin transliteration of the Chinese word 重写, meaning “rewrite” or “to overwrite.” This linguistic clue enabled analysts to trace additional samples and related infrastructure.
Beyond the native modules, three alternative implementations were identified: an ASP.NET page handler, a managed .NET module, and a generic PHP script. The ASP.NET variant leveraged Page_Load to check the Referer and proxy content, while the managed .NET module intercepted 404 requests and injected links directly into live pages. Meanwhile, the PHP front controller combined fake sitemap generation for Googlebot with dynamic header and content manipulation, additionally checking URL paths for mobile queries and, when necessary, proxying responses from command servers.
The campaign’s infrastructure spanned numerous C2 addresses and domains, including 008php[.]com, 300bt[.]com, and yyphw[.]com, as well as IP addresses in Asian networks. Examples of observed C2 endpoints include:
hxxp://404.008php[.]com/zz/u.phphxxp://103.6.235[.]26/xvn.htmlhxxp://404.300bt[.]com/zz/u.phphxxps://fb88s[.]icu/uu/tt.js
Similarities in URI structures and recurring subdomains suggest technological borrowing from Group 9 tooling, while certain traits resemble DragonRank, though no direct infrastructure overlaps with DragonRank were confirmed.
During their operations, attackers who initially gained access deployed web shells across numerous servers, created remote scheduled tasks for lateral movement, added local accounts, and archived web application source code into publicly accessible directories for later exfiltration. Ultimately, DLL files were uploaded into web directories and registered as IIS modules—these samples were identified as BadIIS.
Palo Alto Networks has provided a list of hashes and indicators of compromise in its report, recommending the use of network filtering tools, DNS protections, and EDR solutions to detect and block domains and payloads tied to the campaign. The tactics described highlight how adversaries exploit the reputation of legitimate resources, transforming trusted platforms into engines of large-scale traffic redirection and fraud.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
