Operation Rewrite BadIIS SEO poisoning campaign
Campaign
Summary
Hide ▲
Show ▼
A Chinese-speaking threat actor is running Operation Rewrite, an SEO poisoning campaign that uses BadIIS on compromised IIS servers to manipulate search results and redirect traffic. The operation targets East and Southeast Asia, especially Vietnam, and abuses trusted websites to boost malicious rankings. In one observed intrusion, the operators also created local accounts, dropped web shells, and exfiltrated source code. The campaign matters because it turns legitimate infrastructure into a delivery path for scam traffic and persistent access.
Related Happenings
Webworm multi-country targeting campaign against government and enterprise victims
Campaign
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm multi-country targeting campaign against government and enterprise victims
CampaignAbout this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm expanded European government and South Africa university espionage campaign
Campaign
First: 20.05.2026 14:30
Last: 20.05.2026 14:30
Sources 1
About this happening:
Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Webworm expanded European government and South Africa university espionage campaign
CampaignAbout this happening: Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
CL-UNK-1068 years-long espionage campaign targeting Asian organizations
Campaign
First: 09.03.2026 09:21
Last: 09.03.2026 09:21
Sources 1
About this happening:
A **Chinese threat actor** is linked to a **years-long espionage campaign** against **high-value organizations in South, Southeast, and East Asia**, creating persistent risk for c...
CL-UNK-1068 years-long espionage campaign targeting Asian organizations
CampaignAbout this happening: A **Chinese threat actor** is linked to a **years-long espionage campaign** against **high-value organizations in South, Southeast, and East Asia**, creating persistent risk for c...
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware Activity
First: 30.01.2026 14:08
Last: 30.01.2026 14:08
Sources 1
How related:
This attack used a malicious native Internet Information Services (IIS) module called BadIIS.
About this happening:
**BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware ActivityHow related: This attack used a malicious native Internet Information Services (IIS) module called BadIIS.
About this happening: **BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
UAT-8099 IIS SEO fraud campaign targeting vulnerable Asia-based IIS servers
Campaign
First: 30.01.2026 14:08
Last: 30.01.2026 14:08
Sources 1
About this happening:
**UAT-8099** launched a **late 2025 to early 2026** campaign against **vulnerable IIS servers** across **Asia**, with the strongest concentration in **Thailand and Vietnam**. The...
UAT-8099 IIS SEO fraud campaign targeting vulnerable Asia-based IIS servers
CampaignAbout this happening: **UAT-8099** launched a **late 2025 to early 2026** campaign against **vulnerable IIS servers** across **Asia**, with the strongest concentration in **Thailand and Vietnam**. The...
Timeline
-
23.09.2025 11:13 2 articles · 8mo ago
Unit 42 discloses Operation Rewrite BadIIS campaign
Initial DisclosurePalo Alto Networks Unit 42 disclosed Operation Rewrite, a BadIIS-based SEO poisoning campaign targeting East and Southeast Asia, particularly Vietnam, and assessed with high confidence that a Chinese-speaking actor is behind the activity. The operation uses compromised IIS servers to intercept and modify HTTP traffic, feed poisoned content to search engine crawlers, manipulate rankings, and redirect victims to scam sites, and at least one intrusion also involved pivoting to other systems, creating local user accounts, dropping web shells, and exfiltrating source code.
Show sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13