The UAT-8099 threat actor, linked to China, has been conducting a campaign since at least April 2025 targeting vulnerable Microsoft Internet Information Services (IIS) servers across Asia, with a concentration in Thailand and Vietnam. The attack chain begins with initial access gained through exploitation of IIS vulnerabilities or misconfigured file upload features. Upon compromise, the attacker deploys web shells and uses PowerShell scripts to execute commands and deploy a suite of tools including GotoHTTP for remote control, Sharp4RemoveLog to erase Windows event logs, CnCrypt Protect to hide malicious files, and OpenArk64 to terminate security processes. Persistence is maintained by creating hidden user accounts such as "admin$" and "mysql$", adapting to detection efforts by security products. The core malware deployed is BadIIS, with two regional variants: IISHijack targeting Vietnam and asdSearchEngine targeting Thailand or Thai language users. BadIIS malware performs SEO fraud by detecting search engine crawlers and redirecting them to fraudulent SEO sites, while injecting malicious JavaScript redirects into pages served to users with specific language headers. The malware focuses on dynamic web pages to maximize SEO poisoning effectiveness and avoid detection through server errors. The campaign also shows evolution in tactics, leveraging legitimate red team tools and VPN utilities to evade detection and maintain long-term access. Additionally, a Linux variant of BadIIS has been observed, indicating cross-platform targeting. The campaign’s operational sophistication and regional focus suggest a strategic intent to manipulate search engine results and possibly conduct broader cyber espionage or influence operations. While the campaign’s scale remains unclear, the use of stealthy persistence mechanisms and evasion techniques complicates detection and remediation efforts.

For European organizations, the direct impact of this campaign is currently limited due to its regional focus on Asia. However, European entities operating IIS servers with similar vulnerabilities or misconfigurations could become targets if the threat actor expands operations or if supply chain or third-party service providers are affected. The SEO fraud conducted by BadIIS can damage organizational reputation by associating legitimate websites with malicious content, potentially affecting customer trust and search engine rankings. The attacker’s ability to maintain persistent, stealthy access to IIS servers also poses risks of further exploitation, including data exfiltration, lateral movement, or use of compromised servers in broader campaigns. The use of legitimate tools and evasion techniques increases the likelihood of prolonged undetected presence, complicating incident response. Additionally, organizations in Europe with business or governmental ties to affected Asian countries may face indirect risks through interconnected networks or shared infrastructure. The campaign underscores the importance of securing IIS servers against exploitation and monitoring for signs of SEO fraud and unauthorized account creation. Failure to address these risks could lead to compromised web infrastructure, reputational harm, and potential regulatory consequences under European data protection laws if personal data is involved.

European organizations should implement targeted mitigations beyond generic advice by: 1) Conducting thorough audits of IIS server configurations to identify and remediate weak file upload settings and unpatched vulnerabilities. 2) Implementing strict access controls and monitoring for creation of unusual or hidden user accounts such as "admin$" or "mysql$". 3) Deploying advanced endpoint and network detection solutions capable of identifying web shell activity, PowerShell abuse, and use of tools like GotoHTTP and Sharp4RemoveLog. 4) Monitoring IIS server logs for unusual patterns indicative of SEO fraud, such as selective JavaScript injection or redirection based on Accept-Language headers. 5) Employing behavioral analytics to detect anomalies in web traffic that may indicate crawler manipulation or malicious content injection. 6) Restricting the execution of scripts and binaries on IIS servers to only those explicitly approved, using application whitelisting. 7) Regularly updating and patching IIS servers and associated software to close known vulnerabilities. 8) Conducting threat hunting exercises focused on detecting persistence mechanisms and lateral movement tools used by UAT-8099. 9) Collaborating with threat intelligence providers to stay informed about emerging variants and indicators of compromise related to BadIIS. 10) Educating IT and security teams on the specific tactics used by UAT-8099 to improve detection and response capabilities.