Reddit NetSec

AlienVault OTX General

CVE Database V5

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

A Chinese-speaking threat actor group, tracked as CL-UNK-1037, has been conducting a large-scale SEO poisoning campaign called Operation Rewrite. The attackers use a malicious IIS module named BadIIS to intercept and alter web traffic on compromised servers, manipulating search engine results to redirect users to malicious sites. The campaign primarily targets East and Southeast Asia, with a focus on Vietnam. The attackers employ various tools including native IIS modules, ASP.NET handlers, and PHP scripts. The operation shows links to previously known threat groups like Group 9 and possibly DragonRank. The campaign demonstrates sophisticated techniques for search result manipulation and traffic redirection, posing significant risks to unsuspecting internet users.

Operation Rewrite is a sophisticated SEO poisoning campaign conducted by a Chinese-speaking threat actor group identified as CL-UNK-1037. The attackers leverage a malicious IIS (Internet Information Services) module named BadIIS to compromise web servers and intercept web traffic. By manipulating HTTP responses and altering search engine results, they redirect users to malicious websites, potentially exposing them to further malware infections, phishing, or fraud. The campaign primarily targets servers in East and Southeast Asia, with a particular focus on Vietnam. The attackers utilize a combination of native IIS modules, ASP.NET handlers, and PHP scripts to maintain persistence and control over compromised systems. The operation shows links to previously known threat groups such as Group 9 and possibly DragonRank, indicating a continuation or evolution of prior SEO poisoning tactics. Techniques employed include web shell deployment, command execution (T1059), exploitation of web server vulnerabilities (T1190), and traffic redirection (T1189). This campaign is notable for its scale and the complexity of its manipulation of search engine results, which can undermine user trust in legitimate websites and search engines. Although no known exploits are currently reported in the wild for this specific BadIIS module, the threat actor’s ability to compromise IIS servers and manipulate web traffic represents a significant risk to organizations hosting web services on Microsoft IIS platforms.

Detailed information about Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign. Get real-time updates, techni

Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign - Live Threat Intelligence - Threat Radar | OffSeq.com

Title	Severity	Type	Source	Date

Threats Affecting Malaysia

Filter Threats

Threats Affecting Malaysia

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility