BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware Activity
Summary
Hide ▲
Show ▼
BadIIS is a malicious native IIS module used on compromised IIS servers to support SEO fraud and traffic manipulation. Cisco Talos says the activity is tied to UAT-8099, a Chinese-speaking cybercrime group, while ESET separately tracked GhostRedirector running a related SEO manipulation campaign against gambling sites by compromising Windows Web servers and abusing Googlebot-driven indexing. The campaign has been active since at least August 2024, has affected 65 sites and dozens of websites across Brazil, Vietnam, and Thailand, and uses tools including Rungan, Gamshen, EfsPotato, and BadPotato. The activity matters because it turns legitimate IIS infrastructure into a hidden traffic-control layer that can manipulate search results and silently redirect victims.
Related Happenings
Indirect prompt-injection web campaigns targeting AI agents
Campaign
H score37
First: 06.07.2026 18:00
Last: 06.07.2026 18:00
Sources 1
About this happening:
**Two real-world campaigns** are using **indirect prompt injection** and **SEO poisoning** to steer **AI agents** into fraudulent actions and false legitimacy judgments. The lures...
Indirect prompt-injection web campaigns targeting AI agents
CampaignAbout this happening: **Two real-world campaigns** are using **indirect prompt injection** and **SEO poisoning** to steer **AI agents** into fraudulent actions and false legitimacy judgments. The lures...
OP-512 Microsoft IIS espionage campaign
Campaign
H score52
First: 05.06.2026 15:33
Last: 05.06.2026 15:33
Sources 1
About this happening:
**OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...
OP-512 Microsoft IIS espionage campaign
CampaignAbout this happening: **OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/Mitigation
H score46
First: 03.06.2026 11:33
Last: 03.06.2026 11:33
Sources 1
About this happening:
Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/MitigationAbout this happening: Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Campaign
H score39
First: 01.05.2026 17:02
Last: 01.05.2026 17:02
Sources 1
About this happening:
**SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
CampaignAbout this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
Vidar infostealer market rise and distribution expansion
Malware Activity
H score30
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Timeline
-
30.01.2026 14:08 6 articles · 5mo ago
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Initial DisclosureInitial compromise on **IIS servers** was followed by deployment of **BadIIS** to hijack web traffic and support **SEO fraud**. The early malware stage focused on crawler redirection and malicious content injection before region-specific variants were introduced.
Show sources
- China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware — thehackernews.com — 30.01.2026 14:08
- China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware — thehackernews.com — 30.01.2026 14:08
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
- Chinese-Speaking Cybercrime Group Hijacks IIS Servers for SEO Fraud — www.infosecurity-magazine.com — 03.10.2025 17:59
- Chinese Cybercrime Group Runs Global SEO Fraud Ring Using Compromised IIS Servers — thehackernews.com — 06.10.2025 14:36
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59