A Chinese-speaking cybercrime group is aggressively targeting vulnerable Internet Information Server (IIS) web servers for use in search engine optimization (SEO) fraud, as well as for the theft of high-value data, researchers at Cisco Talos have warned.
The servers most at risk from attacks right now are in universities, technology companies, and telecom providers in India, Thailand, Vietnam, Canada, and Brazil, the company said.
This targeting isn’t coincidental; the group, identified as UAT-8099, chooses its victims for their high domain and IP reputation, which makes it less likely SEO fraud activity will be detected or blocked.
Cisco Talos doesn’t say how many servers the group has compromised, but the fact it has been given its own ID suggests the volume is significant. It’s also possible that the campaign will eventually expand to other countries, including the US and UK.
The tools, techniques and procedures (TTPs) described by Cisco offer an interesting insight into the deeper workings of SEO fraud.
To gain initial access, UAT-8099 targets weakly-configured IIS servers that allow unrestricted file uploads for applications such as content management systems (CMS).
The group subverts this feature to upload a web shell and create a guest account, the privileges of which are immediately elevated to admin level. Remote Desktop Protocol (RDP) is then enabled, at which point the attackers have enough control over the server to install the BadIIS SEO malware.
To achieve persistence, the attackers create a hidden admin account. They enable backdoor access via the SoftEther VPN or EasyTier decentralized VPN tools to hide RDP traffic and avoid detection, and use FRP reverse proxy to initiate outward connections from the server to further obscure the compromise.
To stop other crime groups from exploiting the compromised server, UAT-8099 installs the D_Safe_Manage IIS security tool, which rather rubs in the fact that the defenders should have used this or an equivalent tool for the same purpose.
Why SEO fraud?
Poisoning search engines, especially Google, is an important enabler of cybercrime.
The aim of this exercise is to elevate malicious or fraudulent links to as near the top of search results as possible.
If the attackers served these links from a malicious website, they’d be easily filtered. The answer is to hijack someone else’s site, preferably one with a high-reputation domain and IP. This means that the search crawler sees pages on a reputable IIS server which the attacker has filled with keyword-friendly terms and hidden backlinks to other reputable but similarly hijacked web servers.
This elevates the ranking of these pages in search, therefore making them more likely to be noticed and clicked on. When users do click, they are fed injected ads or malicious landing pages hosted elsewhere that crawlers don’t see.
As a backup revenue source, UAT-8099 also steals any credentials and other sensitive data it can find on compromised servers to re-sell to other criminals.
What to do
IIS, and the applications running on it, are always targets for attackers exploiting CVE-level vulnerabilities and misconfigurations. One example of this was the Cityworks RCE vulnerability from earlier in 2025. And in July, the North Korean Lazarus group was reported to have compromised IIS servers in South Korea to distribute malware to users of the INISAFE CrossWeb EX V6 banking security software.
The current attacks have been ongoing since at least April, which means that organizations should first check their IIS estates for existing compromise. To aid in this, Cisco Talos has published a Github page listing file hashes and malicious domains associated with UAT-8099 to look for in logs.
Servers should also be configured to prevent IIS from executing uploaded scripts or files by adding a StaticFile handler to the upload folder. This stops attackers from hiding executables and scripts behind innocuous-looking uploads.
Finally, it’s important to disable RDP access on port 3389, and enable multi-factor authentication (MFA) for all admin access. At the very least, a SIEM should be enabled to ingest logs from IIS. With the right alerts, these should reveal unusual file changes or additions.
No Responses