A sophisticated Chinese-speaking cybercriminal gang, identified as UAT-8099, has been discovered orchestrating a widespread campaign to exploit compromised Microsoft IIS servers around the world. Their operations, unveiled by cybersecurity experts, primarily target mobile users by manipulating search engine rankings and stealing sensitive data.

Key Takeaways

• UAT-8099 targets IIS servers in multiple countries for financial gain through SEO fraud

• Operations discovered in India, Thailand, Vietnam, Canada, and Brazil

• Group employs advanced malware, automation scripts, and persistence tactics

How the Attack Works

The cybercrime group scans for vulnerable IIS servers, often finding weaknesses in security settings or file upload features. Once a server is compromised, they:

1. Upload web shells to conduct reconnaissance and gather information.

2. Escalate privileges on the server, enabling administrative access and Remote Desktop Protocol (RDP).

3. Install persistence mechanisms, including VPN tools and custom malware.

4. Deploy BadIIS malware, adapted to evade contemporary antivirus solutions.

A unique aspect of UAT-8099's tactics is securing exclusive access to each compromised server. By blocking initial access points, they prevent other threat actors from interfering in their operations.

Tools and Techniques Used

UAT-8099 integrates a mix of open-source and proprietary tools in their campaigns:

• Web Shells: For initial access and management.

• Cobalt Strike: Utilized as a backdoor for further exploitation.

• VPN Tools: Such as SoftEther VPN and Fast Reverse Proxy (FRP) to maintain persistent connections.

• Everything (GUI Tool): Used to efficiently search for high-value data on victim servers.

• BadIIS Malware: A newly tweaked variant designed for stealth and efficiency, capable of running in proxy, injector, and SEO fraud modes.

SEO Fraud Methods Explained

The core objective is search engine optimization fraud. UAT-8099 manipulates Google search results by injecting backlinks from reputable IIS servers under their control. This is performed through BadIIS malware:

• When a request originates from Googlebot, BadIIS responds by inserting links and scripts to artificially boost rankings of certain websites.

• The malware also redirects users to unauthorized ads or gambling sites, profiting from misdirected web traffic.

Regional Impact and Ongoing Risks

UAT-8099’s attacks have affected targets ranging from universities to telecoms, especially in Asia and South America. The full extent of compromised IIS servers remains unclear, but the operation demonstrates increasing technical sophistication among financially motivated threat actors from China.

Security professionals warn that the group’s ability to maintain persistence, adapt malware, and automate tasks poses a significant threat to internet infrastructure and global SEO integrity. As of now, monitoring, regular updates, and hardened configurations are recommended for all organizations running IIS servers.