Cybersecurity researchers at Cisco Talos have uncovered a new campaign by the China-linked threat actor UAT-8099 targeting Internet Information Services (IIS) servers across Asia. Active between late 2025 and early 2026, the group specifically focuses on organizations in Thailand and Vietnam to facilitate large-scale search engine optimization (SEO) fraud. The attacks involve the deployment of web shells and PowerShell scripts to gain remote access and maintain persistence on vulnerable infrastructure.
The threat actor utilizes a sophisticated toolkit including the BadIIS malware and the GotoHTTP remote control tool. The campaign has evolved to include anti-detection measures such as the creation of hidden user accounts like "mysql$" and the use of anti-rootkit utilities. By intercepting search engine crawlers and redirecting them to fraudulent sites while serving malicious JavaScript to legitimate users, UAT-8099 effectively poisons search results while remaining stealthy through localized malware variants.
Top comments (0)