BadIIS Malware SEO Poisoning Campaign Targets East and Southeast Asia

First reported

23.09.2025 11:13

Last updated

📰 1 unique sources, 1 articles

Summary

Hide ▲

A Chinese-speaking threat actor, dubbed CL-UNK-1037, is conducting an SEO poisoning campaign using the BadIIS malware. The campaign targets East and Southeast Asia, particularly Vietnam, to redirect web traffic and plant web shells on compromised servers. The malware manipulates search engine results to direct users to malicious sites, leveraging compromised legitimate servers. The actor shares infrastructure and architectural overlaps with Group 9 and has been active since at least 2025. The BadIIS malware intercepts and modifies HTTP traffic to serve malicious content, using compromised IIS servers to alter search engine indexing. The campaign involves creating new user accounts, dropping web shells, and exfiltrating source code to maintain persistent access. The threat actor employs multiple variants of BadIIS, including ASP.NET page handlers, .NET IIS modules, and PHP scripts, to achieve SEO poisoning and traffic manipulation.

Timeline

23.09.2025 11:13 📰 1 articles · ⏱ 2h ago

BadIIS Malware SEO Poisoning Campaign Targets East and Southeast Asia
A Chinese-speaking threat actor, identified as CL-UNK-1037, is conducting an SEO poisoning campaign using the BadIIS malware. The campaign targets East and Southeast Asia, particularly Vietnam, to redirect web traffic and plant web shells on compromised servers. The malware manipulates search engine results to direct users to malicious sites, leveraging compromised legitimate servers. The actor shares infrastructure and architectural overlaps with Group 9 and has been active since at least 2025. The BadIIS malware intercepts and modifies HTTP traffic to serve malicious content, using compromised IIS servers to alter search engine indexing. The campaign involves creating new user accounts, dropping web shells, and exfiltrating source code to maintain persistent access. The threat actor employs multiple variants of BadIIS, including ASP.NET page handlers, .NET IIS modules, and PHP scripts, to achieve SEO poisoning and traffic manipulation.
Show sources

BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
Open in new tab

Information Snippets

The BadIIS malware is used in an SEO poisoning campaign targeting East and Southeast Asia.
First reported: 23.09.2025 11:13

📰 1 source, 1 article
Show sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
The campaign, dubbed Operation Rewrite, is conducted by a Chinese-speaking threat actor identified as CL-UNK-1037.
First reported: 23.09.2025 11:13

📰 1 source, 1 article
Show sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
CL-UNK-1037 shares infrastructure and architectural overlaps with Group 9 and DragonRank.
First reported: 23.09.2025 11:13

📰 1 source, 1 article
Show sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
BadIIS intercepts and modifies HTTP traffic to serve malicious content, using compromised IIS servers.
First reported: 23.09.2025 11:13

📰 1 source, 1 article
Show sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
The malware manipulates search engine results to direct users to malicious sites, leveraging compromised legitimate servers.
First reported: 23.09.2025 11:13

📰 1 source, 1 article
Show sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
The campaign involves creating new user accounts, dropping web shells, and exfiltrating source code to maintain persistent access.
First reported: 23.09.2025 11:13

📰 1 source, 1 article
Show sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
The threat actor employs multiple variants of BadIIS, including ASP.NET page handlers, .NET IIS modules, and PHP scripts.
First reported: 23.09.2025 11:13

📰 1 source, 1 article
Show sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
The campaign has been active since at least 2025.
First reported: 23.09.2025 11:13

📰 1 source, 1 article
Show sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13