Cisco Talos researchers have identified a new campaign by UAT-8099 targeting vulnerable Internet Information Services (IIS) servers throughout Asia, with a heavy concentration in Thailand and Vietnam. The threat actor employs sophisticated persistence mechanisms and custom malware, including new variants of BadIIS, to facilitate large-scale SEO fraud and maintain long-term access to compromised environments.
The group's toolkit has evolved to include legitimate utilities like GotoHTTP and OpenArk64 to evade security products and manage remote systems. Analysis revealed distinct regional focuses where malware variants are customized with specific language headers, file extension filters, and dynamic HTML templates designed to deceive search engine crawlers and redirect users to gambling sites.
Top comments (0)