BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware Activity
Summary
Hide ▲
Show ▼
BadIIS is a malicious native IIS module used on compromised IIS servers to support SEO fraud and traffic manipulation. Cisco Talos says the activity is tied to UAT-8099, a Chinese-speaking cybercrime group, while ESET separately tracked GhostRedirector running a related SEO manipulation campaign against gambling sites by compromising Windows Web servers and abusing Googlebot-driven indexing. The campaign has been active since at least August 2024, has affected 65 sites and dozens of websites across Brazil, Vietnam, and Thailand, and uses tools including Rungan, Gamshen, EfsPotato, and BadPotato. The activity matters because it turns legitimate IIS infrastructure into a hidden traffic-control layer that can manipulate search results and silently redirect victims.
Related Happenings
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Campaign
First: 01.05.2026 17:02
Last: 01.05.2026 17:02
Sources 1
About this happening:
**SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
CampaignAbout this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
TA416 European government espionage campaign
Campaign
First: 01.04.2026 15:05
Last: 01.04.2026 15:05
Sources 1
About this happening:
TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
TA416 European government espionage campaign
CampaignAbout this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
Latest development: 03.04.2026 20:34
TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.
Storm-2561 SEO-poisoning VPN credential-theft campaign
Campaign
First: 13.03.2026 15:38
Last: 13.03.2026 15:38
Sources 1
About this happening:
The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Storm-2561 SEO-poisoning VPN credential-theft campaign
CampaignAbout this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
Campaign
First: 11.03.2026 16:45
Last: 11.03.2026 16:45
Sources 1
About this happening:
A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
CampaignAbout this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Timeline
-
30.01.2026 14:08 6 articles · 3mo ago
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Initial DisclosureInitial compromise on **IIS servers** was followed by deployment of **BadIIS** to hijack web traffic and support **SEO fraud**. The early malware stage focused on crawler redirection and malicious content injection before region-specific variants were introduced.
Show sources
- China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware — thehackernews.com — 30.01.2026 14:08
- China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware — thehackernews.com — 30.01.2026 14:08
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
- Chinese-Speaking Cybercrime Group Hijacks IIS Servers for SEO Fraud — www.infosecurity-magazine.com — 03.10.2025 17:59
- Chinese Cybercrime Group Runs Global SEO Fraud Ring Using Compromised IIS Servers — thehackernews.com — 06.10.2025 14:36
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59