Cybersecurity researchers have discovered a new campaign attributed to a China-linked threat actor known as UAT-8099 that took place between late 2025 and early 2026.
The activity, discovered by Cisco Talos, has targeted vulnerable Internet Information Services (IIS) servers located across Asia, but with a specific focus on targets in Thailand and Vietnam. The scale of the campaign is currently unknown.
"UAT-8099 uses web shells and PowerShell to execute scripts and deploy the GotoHTTP tool, granting the threat actor remote access to vulnerable IIS servers," security researcher Joey Chen said in a Thursday breakdown of the campaign.
UAT-8099 was first documented by the cybersecurity company in October 2025, detailing the threat actor's exploitation of IIS servers in India, Thailand, Vietnam, Canada, and Brazil to facilitate search engine optimization (SEO) fraud. The attacks involve infecting the servers with a known malware referred to as BadIIS.
The hacking group is assessed to be of Chinese origin, with the attacks dating back to April 2025. The threat cluster also shares similarities with another BadIIS campaign codenamed WEBJACK by Finnish cybersecurity vendor WithSecure in November 2025, based on overlaps in tools, command-and-control (C2) infrastructure, and victimology footprint.
The latest campaign is focused on compromising IIS servers located in India, Pakistan, Thailand, Vietnam, and Japan, although Cisco said it observed a "distinct concentration of attacks" in Thailand and Vietnam.
"While the threat actor continues to rely on web shells, SoftEther VPN, and EasyTier to control compromised IIS servers, their operational strategy has evolved significantly," Talos explained. "First, this latest campaign marks a shift in their black hat SEO tactics toward a more specific regional focus. Second, the actor increasingly leverages red team utilities and legitimate tools to evade detection and maintain long-term persistence."
The attack chain begins with UAT-8099 gaining initial access to an IIS server, typically by either exploiting a security vulnerability or weak settings in the web server's file upload feature. This is followed by the threat actor initiating a series of steps to deploy malicious payloads -
- Execute discovery and reconnaissance commands to gather system information
- Deploy VPN tools and establish persistence by creating a hidden user account named "admin$"
- Drop new tools like Sharp4RemoveLog (remove Windows event logs), CnCrypt Protect (hide malicious files), OpenArk64 (open-source anti-rootkit to terminate security product processes), and GotoHTTP (remote control of server)
- Deploy BadIIS malware using the newly created account
With security products taking steps to flag the "admin$" account, the threat actor has added a new check to verify if the name is blocked, and if so, proceeds to create a new user account named "mysql$" to maintain access and run the BadIIS SEO fraud service without any interruption. In addition, UAT-8099 has been observed creating more hidden accounts to ensure persistence.
Another notable shift revolves around the use of GotoHTTP to remotely control the infected server. The tool is launched by means of a Visual Basic Script that is downloaded by a PowerShell command that's run following the deployment of a web shell.
The BadIIS malware deployed in the attacks is two new variants customized to target specific regions: While BadIIS IISHijack singles out victims in Vietnam, BadIIS asdSearchEngine is primarily aimed at targets in Thailand or users with Thai language preferences.
The end goal of the malware still largely remains the same. It scans incoming requests to IIS servers to check if the visitor is a search engine crawler. If that's the case, the crawler is redirected to an SEO fraud site. However, if the request is from a regular user and the Accept-Language header in the request indicates Thai, it injects HTML containing a malicious JavaScript redirect into the response.
Cisco Talos said it identified three distinct variants within the BadIIS asdSearchEngine cluster -
- Exclusive multiple extensions variant, which checks the file path in the request and ignores it if it contains an extension on its exclusion list that can either be resource intensive or hamper the website's appearance
- Load HTML templates variant, which contains an HTML template generation system to dynamically create web content by loading templates from disk or using embedded fallbacks and replacing placeholders with random data, dates, and URL-derived content
- Dynamic page extension/directory index variant, which checks if a requested path corresponds to a dynamic page extension or a directory index
"We assess that the threat actor, UAT-8099, implemented this feature to prioritize SEO content targeting while maintaining stealth," Talos said of the third variant.
"Since SEO poisoning relies on injecting JavaScript links into pages that search engines crawl, the malware focuses on dynamic pages (e.g., default.aspx, index.php) where these injections are most effective. Furthermore, by restricting hooks to other specific file types, the malware avoids processing incompatible static files, thereby preventing the generation of suspicious server error logs."
There are also signs that the threat actor is actively refining its Linux version of BadIIS. An ELF binary artifact uploaded to VirusTotal in early October 2025 includes proxy, injector, and SEO fraud modes as before, while limiting the targeted search engines to only crawlers from Google, Microsoft Bing, and Yahoo!
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.