UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud
A Chinese-speaking cybercrime group, UAT-8099, is targeting high-value Internet Information Services (IIS) servers for search engine optimization fraud and data theft. The group focuses on reputable servers in India, Thailand, Vietnam, Canada, and Brazil, affecting universities, tech firms, and telecom providers. UAT-8099 uses web shells, hacking tools, Cobalt Strike, and BadIIS malware to manipulate search rankings and maintain persistence. They exploit weak file upload settings, enable guest accounts, and use RDP for access. The group also steals valuable credentials, configuration files, and certificates. New BadIIS variants with low detection rates and Chinese debug strings have been identified. The attackers employ SEO techniques like backlinking and inject malicious JavaScript to redirect users to fraudulent websites.
AI Analysis
Technical Summary
The UAT-8099 threat campaign involves a Chinese-speaking cybercrime group targeting high-value Internet Information Services (IIS) servers primarily for search engine optimization (SEO) fraud and data theft. The group focuses on reputable IIS servers across multiple countries, including India, Thailand, Vietnam, Canada, and Brazil, with victims spanning universities, technology firms, and telecommunications providers. The attackers leverage a combination of web shells, hacking tools, and malware such as Cobalt Strike and BadIIS variants to gain and maintain persistent access. Their initial intrusion vectors include exploiting weak file upload configurations and enabling guest accounts, as well as using Remote Desktop Protocol (RDP) for lateral movement or direct access. Once inside, they steal sensitive credentials, configuration files, and certificates, which can facilitate further compromise or enable impersonation. The BadIIS malware variants used have low detection rates and contain Chinese debug strings, indicating active development and evasion efforts. The group manipulates search engine rankings by injecting malicious JavaScript into compromised websites, redirecting users to fraudulent sites and employing backlinking SEO techniques to boost the visibility of these malicious domains. This multi-faceted approach not only allows them to monetize compromised assets through SEO fraud but also poses risks of data exfiltration and potential further exploitation of stolen credentials and certificates. The campaign is characterized by its use of advanced tools and persistence mechanisms, highlighting a sophisticated operation focused on both financial gain and information theft.
Potential Impact
For European organizations, the UAT-8099 campaign presents several risks. Although the primary affected countries listed do not include European nations, the targeting of IIS servers and the techniques used are applicable globally, including Europe. European universities, technology companies, and telecom providers operating IIS infrastructure could be targeted or collateral victims due to the widespread use of IIS in enterprise environments. The SEO fraud component can damage brand reputation and lead to loss of user trust if legitimate websites are compromised and redirect users to malicious sites. Data theft involving credentials and certificates could lead to further intrusions, lateral movement, or man-in-the-middle attacks within European networks. Additionally, compromised certificates can undermine secure communications and trust models critical to European data protection regulations such as GDPR. The use of web shells and Cobalt Strike indicates potential for broader exploitation beyond SEO fraud, including espionage or ransomware deployment. The campaign's stealthy nature, with low detection malware variants, increases the risk of prolonged undetected presence in networks, exacerbating potential damage.
Mitigation Recommendations
European organizations should implement targeted mitigations beyond generic advice. First, conduct thorough audits of IIS server configurations to ensure secure file upload settings and disable unnecessary guest accounts to reduce attack surface. Employ strict access controls and monitor RDP usage, ideally restricting or disabling RDP where not essential and enforcing multi-factor authentication (MFA) for remote access. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying web shells, Cobalt Strike activity, and suspicious JavaScript injections. Regularly scan IIS servers for unauthorized web shells and anomalous files, leveraging threat intelligence feeds containing indicators of compromise related to BadIIS variants. Implement certificate management best practices, including monitoring for unauthorized certificate issuance or usage. Enhance network segmentation to limit lateral movement if a server is compromised. Use web application firewalls (WAFs) with rules to detect and block malicious JavaScript injections and SEO manipulation attempts. Conduct regular employee training focused on recognizing phishing and social engineering attempts that could facilitate initial access. Finally, maintain up-to-date backups and incident response plans tailored to web server compromises and data theft scenarios.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- hash: f9f87fcfd6ecc6d65381f97aec65f75b
- hash: 085bdd7a4b4e69a1bf7fbe50b15187c64be52763
- hash: c12024f2444daeca42ebb6dbd428317bced6ef8d
- hash: f18a6fa421469a6041b080ba992080cd83fbcdd5
- hash: 046417685ad2eb075f33a0f757391df84750d2395fa6f82b1f05359710b7c9b6
- hash: 0511345f452e8c5ff2ca903553ba72f4fcb4f029f72b12e27f6a33e33977e5d2
- hash: 088fa3063c3015978955b572d5ddcff0838a945ce25665f24cca83d33e039cb9
- hash: 0afa8830d2c664a192af94b638ab6b1c096d13e41a7f1886b71ff020e0d9bd93
- hash: 0c364717dea76cbff870a2dbf2099213615a4caacaa5de61f7271c7eec73759f
- hash: 0c532a4a9f398fa2f5e12c2eac00c81ff4a70ac6746cf462c3f2206ed910693f
- hash: 1149c50a049dca8ada30247532d0b2f18b94c199b45fd5dc129b5a9fda0991e9
- hash: 1d17bd82d15331fd9787511da1c7b1c5cf40deef371a43d63ec524b4d90f6b84
- hash: 223ebe3875f876a951e700a153901b05e9c166ca6151ca35219c8b544ea30c01
- hash: 299aabc6b9b03d92a6aed9d12eed45a669e5795763092693ac98322107cf8217
- hash: 2eedd804c1fa4578485b55f4872145b7f891016510fe88fa760b61b8248dec82
- hash: 3bd3a328dbe4ddefa177f7c367d8d9536a3d0e7debd1648e376534f0c5cac98f
- hash: 3fb2fd80c7bc8cf69594ad36b18972eb771585bc5733f456eeef1448e8d77713
- hash: 49740a5785f0d6790ee7f82915d2a95866332fc3eaf6fb0da59645404e4aed0c
- hash: 5284d5e034aa8c077469d3ef8fb2c09aa041c475703ea99c87855cf6eecf9564
- hash: 5a6dd4bb2db005adee56732b96fa6f4ceed47fc42298daf7bb3e6db32b59eac6
- hash: 704ce326c380e4a35594df2b7d9bd17517709378451f3d9788728d01df36d0f6
- hash: 7276bc5fe4d29daf7a23a9a68022330290be45cc3a5a1d76e82063135b85ce5c
- hash: 74eb8d245d5571f3ee9a4e5417fb919034662681ff26a298a3526032307f16a4
- hash: 762db01f0dc61a3f4aa1695cb24a92fa21d236d8c5577926337ac1799d6569a5
- hash: 78f813c4474dcb4a1be9354d341bedcae6ef8689828a150c5936c308a0490777
- hash: 7ddf475abc6e01a1e703f4c54e5a2c8601fef4767b3b1859b78cfdc18b173004
- hash: 85cf3c802a97facb5ae4c1e945c5042915017f35bdf1a570754b88710facf3f3
- hash: 879ee17ff9225e2c71d818eea5addd7ce3c41a4100a98bd5d29d4cb4f2dadf22
- hash: 87ffb0bb7d8dd89bfc5d106a07d0c4a4f51c03d355848abcf52fbe8c7087cf5b
- hash: 8b154b9c9b15bc2ec4849c182c926c46bf9de561e4359cbdaf5f0ca90a4f869d
- hash: 8b2a61f29fdeda908d299515975a4dd3abd1a7508dbe8487bcb2a56fad2ec16f
- hash: 8edfa205175912a6a8d31b821b027a67f0a8413528f6fc02f544fba18d75aa4e
- hash: 94d8eaef036231cd604d0c769f0918e826501644a149876c09e967811c104860
- hash: 980f5ccbcf1b1e56095acf8e63821ef0b365f4db1ca811515e29106b8d0f9d30
- hash: 993fc46080d49c4ec814b4a3b2bf38faf2a6d59fe8a0638164b6fa27fa66e6e0
- hash: b3d08508b1e8962e56da007408450e2a40fae8cac1ee7d526914be80e31f6854
- hash: b8626f0c45c68f6176540a64e2f8c6d5ac8b942a5ec030b590870a6eaffb931f
- hash: c85a942a0d17c7accbabbf68ce04635327b757a662687c798e998c983c2a744c
- hash: c922ef32c4ab94f8b870c62883f3e41755ec705db76ec4efb0d343458f1e28c7
- hash: cbb4a9172f4b0185d3aecbaa60b8e04d8910889da8905e5089df3efdec0a38dd
- hash: cd86344937c7e7c9895fde8eecc682eb347c583e1ded491075aef548a8e255a4
- hash: e042f1a9b0a1d69311a5a1bd4eea37cc1a8a02cffe3f9ad5eb0c78fa79f326e2
- hash: e1342bca7bc4f3ff9453c68cd16532f4e6567a1ada37b6e2635cbc1c1ba325ac
- hash: ee6288fa8e5f111571475211b15522bc987da8421e9687a8089d1edef1df14a2
- hash: f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb
- hash: f659c4cfe4517a07b9c944cb7818be4022fdc42187766808ad02987a4152a875
- hash: f7cc8cf5a8e565c1aa8b7bd524f4f9fac392387de749657cb9d1cf4d694c4ad2
- hash: fee057cee9da92d3d29078e7c30da7472ce99cc2ecaf4e13e8b3d6f266a6d35f
- ip: 123.181.24.36
- ip: 138.112.25.25
- ip: 36.75.75.75
- ip: 71.162.181.51
- domain: 2fgithub.com
- domain: meindi11.com
- domain: mejsc1.com
- domain: alex.rootggseo.com
- domain: ar.ggseocdn.com
- domain: ar.mnnoxzmq.com
- domain: aspx2.ggseocdn.com
- domain: buvmfuwecndskmkvhndfjk.dfbdfwrthgef.top
- domain: bx.ggseocdn.com
- domain: bx.westooo.com
- domain: bxphp.ggseocdn.com
- domain: cdn.windowserrorapis.com
- domain: ceshi.mejsc4.com
- domain: cheng.win123888.com
- domain: google.dfbdfwrthgef.top
- domain: iis.ihack.one
- domain: joyddll.westooo.com
- domain: joydphp.westooo.com
- domain: link.mejsc4.com
- domain: list.ggseocdn.com
- domain: mo2dll.win123888.com
- domain: modll.win123888.com
- domain: mulu.ihack.one
- domain: suidcbdewjskbcsdjvbwehcsdj.dfbdfwrthgef.top
- domain: tdk.ihack.one
- domain: th1.ggseocdn.com
- domain: th1.win123888.com
- domain: x2.ggseocdn.com
- domain: x3.ggseocdn.com
- domain: x5.westooo.com
- domain: xl.luodixijin.com
- domain: xldll.xijingdafa.com
UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud
Description
A Chinese-speaking cybercrime group, UAT-8099, is targeting high-value Internet Information Services (IIS) servers for search engine optimization fraud and data theft. The group focuses on reputable servers in India, Thailand, Vietnam, Canada, and Brazil, affecting universities, tech firms, and telecom providers. UAT-8099 uses web shells, hacking tools, Cobalt Strike, and BadIIS malware to manipulate search rankings and maintain persistence. They exploit weak file upload settings, enable guest accounts, and use RDP for access. The group also steals valuable credentials, configuration files, and certificates. New BadIIS variants with low detection rates and Chinese debug strings have been identified. The attackers employ SEO techniques like backlinking and inject malicious JavaScript to redirect users to fraudulent websites.
AI-Powered Analysis
Technical Analysis
The UAT-8099 threat campaign involves a Chinese-speaking cybercrime group targeting high-value Internet Information Services (IIS) servers primarily for search engine optimization (SEO) fraud and data theft. The group focuses on reputable IIS servers across multiple countries, including India, Thailand, Vietnam, Canada, and Brazil, with victims spanning universities, technology firms, and telecommunications providers. The attackers leverage a combination of web shells, hacking tools, and malware such as Cobalt Strike and BadIIS variants to gain and maintain persistent access. Their initial intrusion vectors include exploiting weak file upload configurations and enabling guest accounts, as well as using Remote Desktop Protocol (RDP) for lateral movement or direct access. Once inside, they steal sensitive credentials, configuration files, and certificates, which can facilitate further compromise or enable impersonation. The BadIIS malware variants used have low detection rates and contain Chinese debug strings, indicating active development and evasion efforts. The group manipulates search engine rankings by injecting malicious JavaScript into compromised websites, redirecting users to fraudulent sites and employing backlinking SEO techniques to boost the visibility of these malicious domains. This multi-faceted approach not only allows them to monetize compromised assets through SEO fraud but also poses risks of data exfiltration and potential further exploitation of stolen credentials and certificates. The campaign is characterized by its use of advanced tools and persistence mechanisms, highlighting a sophisticated operation focused on both financial gain and information theft.
Potential Impact
For European organizations, the UAT-8099 campaign presents several risks. Although the primary affected countries listed do not include European nations, the targeting of IIS servers and the techniques used are applicable globally, including Europe. European universities, technology companies, and telecom providers operating IIS infrastructure could be targeted or collateral victims due to the widespread use of IIS in enterprise environments. The SEO fraud component can damage brand reputation and lead to loss of user trust if legitimate websites are compromised and redirect users to malicious sites. Data theft involving credentials and certificates could lead to further intrusions, lateral movement, or man-in-the-middle attacks within European networks. Additionally, compromised certificates can undermine secure communications and trust models critical to European data protection regulations such as GDPR. The use of web shells and Cobalt Strike indicates potential for broader exploitation beyond SEO fraud, including espionage or ransomware deployment. The campaign's stealthy nature, with low detection malware variants, increases the risk of prolonged undetected presence in networks, exacerbating potential damage.
Mitigation Recommendations
European organizations should implement targeted mitigations beyond generic advice. First, conduct thorough audits of IIS server configurations to ensure secure file upload settings and disable unnecessary guest accounts to reduce attack surface. Employ strict access controls and monitor RDP usage, ideally restricting or disabling RDP where not essential and enforcing multi-factor authentication (MFA) for remote access. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying web shells, Cobalt Strike activity, and suspicious JavaScript injections. Regularly scan IIS servers for unauthorized web shells and anomalous files, leveraging threat intelligence feeds containing indicators of compromise related to BadIIS variants. Implement certificate management best practices, including monitoring for unauthorized certificate issuance or usage. Enhance network segmentation to limit lateral movement if a server is compromised. Use web application firewalls (WAFs) with rules to detect and block malicious JavaScript injections and SEO manipulation attempts. Conduct regular employee training focused on recognizing phishing and social engineering attempts that could facilitate initial access. Finally, maintain up-to-date backups and incident response plans tailored to web server compromises and data theft scenarios.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/","https://github.com/Cisco-Talos/IOCs/blob/main/2025/09/uat-8099-chinese-speaking-cybercrime-group-seo-fraud.txt"]
- Adversary
- UAT-8099
- Pulse Id
- 68de952252a07c88093c6fb4
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashf9f87fcfd6ecc6d65381f97aec65f75b | — | |
hash085bdd7a4b4e69a1bf7fbe50b15187c64be52763 | — | |
hashc12024f2444daeca42ebb6dbd428317bced6ef8d | — | |
hashf18a6fa421469a6041b080ba992080cd83fbcdd5 | — | |
hash046417685ad2eb075f33a0f757391df84750d2395fa6f82b1f05359710b7c9b6 | — | |
hash0511345f452e8c5ff2ca903553ba72f4fcb4f029f72b12e27f6a33e33977e5d2 | — | |
hash088fa3063c3015978955b572d5ddcff0838a945ce25665f24cca83d33e039cb9 | — | |
hash0afa8830d2c664a192af94b638ab6b1c096d13e41a7f1886b71ff020e0d9bd93 | — | |
hash0c364717dea76cbff870a2dbf2099213615a4caacaa5de61f7271c7eec73759f | — | |
hash0c532a4a9f398fa2f5e12c2eac00c81ff4a70ac6746cf462c3f2206ed910693f | — | |
hash1149c50a049dca8ada30247532d0b2f18b94c199b45fd5dc129b5a9fda0991e9 | — | |
hash1d17bd82d15331fd9787511da1c7b1c5cf40deef371a43d63ec524b4d90f6b84 | — | |
hash223ebe3875f876a951e700a153901b05e9c166ca6151ca35219c8b544ea30c01 | — | |
hash299aabc6b9b03d92a6aed9d12eed45a669e5795763092693ac98322107cf8217 | — | |
hash2eedd804c1fa4578485b55f4872145b7f891016510fe88fa760b61b8248dec82 | — | |
hash3bd3a328dbe4ddefa177f7c367d8d9536a3d0e7debd1648e376534f0c5cac98f | — | |
hash3fb2fd80c7bc8cf69594ad36b18972eb771585bc5733f456eeef1448e8d77713 | — | |
hash49740a5785f0d6790ee7f82915d2a95866332fc3eaf6fb0da59645404e4aed0c | — | |
hash5284d5e034aa8c077469d3ef8fb2c09aa041c475703ea99c87855cf6eecf9564 | — | |
hash5a6dd4bb2db005adee56732b96fa6f4ceed47fc42298daf7bb3e6db32b59eac6 | — | |
hash704ce326c380e4a35594df2b7d9bd17517709378451f3d9788728d01df36d0f6 | — | |
hash7276bc5fe4d29daf7a23a9a68022330290be45cc3a5a1d76e82063135b85ce5c | — | |
hash74eb8d245d5571f3ee9a4e5417fb919034662681ff26a298a3526032307f16a4 | — | |
hash762db01f0dc61a3f4aa1695cb24a92fa21d236d8c5577926337ac1799d6569a5 | — | |
hash78f813c4474dcb4a1be9354d341bedcae6ef8689828a150c5936c308a0490777 | — | |
hash7ddf475abc6e01a1e703f4c54e5a2c8601fef4767b3b1859b78cfdc18b173004 | — | |
hash85cf3c802a97facb5ae4c1e945c5042915017f35bdf1a570754b88710facf3f3 | — | |
hash879ee17ff9225e2c71d818eea5addd7ce3c41a4100a98bd5d29d4cb4f2dadf22 | — | |
hash87ffb0bb7d8dd89bfc5d106a07d0c4a4f51c03d355848abcf52fbe8c7087cf5b | — | |
hash8b154b9c9b15bc2ec4849c182c926c46bf9de561e4359cbdaf5f0ca90a4f869d | — | |
hash8b2a61f29fdeda908d299515975a4dd3abd1a7508dbe8487bcb2a56fad2ec16f | — | |
hash8edfa205175912a6a8d31b821b027a67f0a8413528f6fc02f544fba18d75aa4e | — | |
hash94d8eaef036231cd604d0c769f0918e826501644a149876c09e967811c104860 | — | |
hash980f5ccbcf1b1e56095acf8e63821ef0b365f4db1ca811515e29106b8d0f9d30 | — | |
hash993fc46080d49c4ec814b4a3b2bf38faf2a6d59fe8a0638164b6fa27fa66e6e0 | — | |
hashb3d08508b1e8962e56da007408450e2a40fae8cac1ee7d526914be80e31f6854 | — | |
hashb8626f0c45c68f6176540a64e2f8c6d5ac8b942a5ec030b590870a6eaffb931f | — | |
hashc85a942a0d17c7accbabbf68ce04635327b757a662687c798e998c983c2a744c | — | |
hashc922ef32c4ab94f8b870c62883f3e41755ec705db76ec4efb0d343458f1e28c7 | — | |
hashcbb4a9172f4b0185d3aecbaa60b8e04d8910889da8905e5089df3efdec0a38dd | — | |
hashcd86344937c7e7c9895fde8eecc682eb347c583e1ded491075aef548a8e255a4 | — | |
hashe042f1a9b0a1d69311a5a1bd4eea37cc1a8a02cffe3f9ad5eb0c78fa79f326e2 | — | |
hashe1342bca7bc4f3ff9453c68cd16532f4e6567a1ada37b6e2635cbc1c1ba325ac | — | |
hashee6288fa8e5f111571475211b15522bc987da8421e9687a8089d1edef1df14a2 | — | |
hashf3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb | — | |
hashf659c4cfe4517a07b9c944cb7818be4022fdc42187766808ad02987a4152a875 | — | |
hashf7cc8cf5a8e565c1aa8b7bd524f4f9fac392387de749657cb9d1cf4d694c4ad2 | — | |
hashfee057cee9da92d3d29078e7c30da7472ce99cc2ecaf4e13e8b3d6f266a6d35f | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip123.181.24.36 | — | |
ip138.112.25.25 | — | |
ip36.75.75.75 | — | |
ip71.162.181.51 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain2fgithub.com | — | |
domainmeindi11.com | — | |
domainmejsc1.com | — | |
domainalex.rootggseo.com | — | |
domainar.ggseocdn.com | — | |
domainar.mnnoxzmq.com | — | |
domainaspx2.ggseocdn.com | — | |
domainbuvmfuwecndskmkvhndfjk.dfbdfwrthgef.top | — | |
domainbx.ggseocdn.com | — | |
domainbx.westooo.com | — | |
domainbxphp.ggseocdn.com | — | |
domaincdn.windowserrorapis.com | — | |
domainceshi.mejsc4.com | — | |
domaincheng.win123888.com | — | |
domaingoogle.dfbdfwrthgef.top | — | |
domainiis.ihack.one | — | |
domainjoyddll.westooo.com | — | |
domainjoydphp.westooo.com | — | |
domainlink.mejsc4.com | — | |
domainlist.ggseocdn.com | — | |
domainmo2dll.win123888.com | — | |
domainmodll.win123888.com | — | |
domainmulu.ihack.one | — | |
domainsuidcbdewjskbcsdjvbwehcsdj.dfbdfwrthgef.top | — | |
domaintdk.ihack.one | — | |
domainth1.ggseocdn.com | — | |
domainth1.win123888.com | — | |
domainx2.ggseocdn.com | — | |
domainx3.ggseocdn.com | — | |
domainx5.westooo.com | — | |
domainxl.luodixijin.com | — | |
domainxldll.xijingdafa.com | — |
Threat ID: 68dea28f74e254631608624d
Added to database: 10/2/2025, 4:04:31 PM
Last enriched: 10/2/2025, 4:05:01 PM
Last updated: 10/2/2025, 7:00:17 PM
Views: 5
Related Threats
Werewolf raids Russia's public sector with trusted relationship attacks
MediumThreat Actors Leverage SEO Poisoning and Malicious Ads to Distribute Backdoored Microsoft Teams Installers
MediumAnalysis: AI-powered Ransomware from APT Group
MediumRhadamanthys 0.9.x - walk through the updates
MediumXiebroC2 Identified in MS-SQL Server Attack Cases
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.