The cybercrime group UAT-8099, linked to Chinese-speaking actors, has been identified running a sophisticated global SEO fraud operation by compromising Microsoft Internet Information Services (IIS) servers. First discovered in April 2025, the group targets IIS servers primarily in India, Thailand, Vietnam, Canada, and Brazil, focusing on high-value sectors such as universities, technology companies, and telecommunications providers. The attack chain begins with exploiting security vulnerabilities or weak file upload configurations in IIS servers to upload web shells, which provide initial foothold and reconnaissance capabilities. The attackers then escalate privileges by enabling the guest account and ultimately gaining administrator-level access. They enable Remote Desktop Protocol (RDP) access and use VPN tools like SoftEther VPN and Fast Reverse Proxy to maintain persistence and evade network detection. Post-exploitation tools include Cobalt Strike for backdoor access and a customized malware called BadIIS, which is a variant of previously known malware used by Chinese threat groups. BadIIS operates stealthily by activating only when requests originate from Googlebot user agents, enabling the group to manipulate search engine results through backlink injection and JavaScript code injection. This SEO fraud artificially boosts the ranking of targeted websites, redirecting users to unauthorized advertisements or illegal gambling sites, generating illicit revenue. Additionally, the group steals high-value credentials, configuration files, and certificate data from compromised servers, which can be resold or used for further exploitation. The attackers also take measures to block other threat actors from accessing the same compromised servers, ensuring exclusive control. The malware’s evasion techniques include code structure modifications to bypass antivirus detection. While the infections are concentrated outside Europe, the widespread deployment of IIS servers in European enterprises and the targeting of high-value organizations make this threat relevant to European cybersecurity stakeholders. The group’s use of sophisticated tools and persistence mechanisms indicates a high level of operational capability and financial motivation.

For European organizations, the compromise of IIS servers by UAT-8099 could lead to significant confidentiality breaches through theft of credentials and sensitive configuration data, potentially exposing internal systems and user data. Integrity is impacted by the manipulation of web content and search engine results, which can damage organizational reputation and lead to financial losses due to redirected traffic and fraudulent activities. Availability may be affected indirectly if attackers disable or alter services to maintain control or evade detection. The SEO fraud component can also harm legitimate business operations by associating corporate websites with unauthorized or illegal content, leading to penalties from search engines and loss of customer trust. Given the use of RDP and VPN tools for persistence, lateral movement within networks is possible, increasing the risk of broader compromise. The threat is particularly concerning for sectors with high IIS usage such as telecommunications, education, and technology firms in Europe. Additionally, stolen certificates and credentials could facilitate further attacks, including man-in-the-middle or supply chain compromises. The stealthy nature of the malware and its evasion of antivirus detection complicate timely identification and response, increasing potential damage.

European organizations should implement strict IIS server hardening practices, including disabling unnecessary file upload features and enforcing strong access controls. Regularly audit and monitor IIS logs for unusual activities such as unexpected file uploads, web shell indicators, and anomalous RDP sessions. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying Cobalt Strike usage and BadIIS malware behaviors. Enforce multi-factor authentication (MFA) for all remote access, especially RDP, and restrict RDP access to trusted IPs or via VPNs with strong encryption and logging. Conduct regular vulnerability assessments and patch IIS servers promptly to close known security gaps. Use network segmentation to limit the impact of any compromised server and prevent lateral movement. Implement threat hunting focused on detecting web shells and unusual SEO-related traffic patterns. Employ DNS filtering and web proxy solutions to block access to known malicious domains used in SEO fraud campaigns. Finally, establish incident response plans tailored to web server compromises, including rapid isolation and forensic analysis capabilities.