Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UAT-8099 IIS hijacking SEO fraud campaign

Campaign
First reported
Last updated
Happening score
H score 46
3 unique sources, 3 articles

Summary

Hide ▲

The UAT-8099 campaign is hijacking IIS servers at reputable organizations across Brazil, Canada, India, Thailand, and Vietnam, turning them into infrastructure for SEO fraud and credential theft. The operators abuse the compromised servers to push search traffic toward spam ads and illegal gambling sites. They also harvest sensitive access data that can enable follow-on attacks or resale.

Related Happenings

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...

Open Happening

BlackFile vishing extortion campaign targeting retail and hospitality organizations

Campaign
First: 24.04.2026 21:26 Last: 24.04.2026 21:26 Sources 1

About this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...

Open Happening

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

Open Happening

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

Storm-2561 SEO-poisoning VPN credential-theft campaign

Campaign
First: 13.03.2026 15:38 Last: 13.03.2026 15:38 Sources 1

About this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...

Open Happening

Timeline

  1. 03.10.2025 16:00 3 articles · 7mo ago

    UAT-8099 hijacks IIS servers for SEO fraud

    Initial Disclosure

    Cisco Talos reported that UAT-8099 was hijacking Internet Information Services (IIS) servers at reputable organizations across Brazil, Canada, India, Thailand, and Vietnam for SEO fraud and data theft. The group abused unrestricted uploads to drop web shells, escalated privileges, enabled Remote Desktop Protocol (RDP) access, and used reverse proxy, VPN, and D_Safe_Manage tooling to retain exclusive access. The compromised servers were then used to deploy BadIIS for search-engine poisoning and malicious redirects, while Cobalt Strike and other access data, including credentials, configuration files, and certificate information, were collected for follow-on abuse or resale.

    Show sources
    Open in new tab