Find notable cyber news and cases, enriched with sources, timelines, and signals.

BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam

Malware Activity
First reported
Last updated
Happening score
H score 27
3 unique sources, 5 articles

Summary

Hide ▲

BadIIS is a malicious native IIS module used on compromised IIS servers to support SEO fraud and traffic manipulation. Cisco Talos says the activity is tied to UAT-8099, a Chinese-speaking cybercrime group, while ESET separately tracked GhostRedirector running a related SEO manipulation campaign against gambling sites by compromising Windows Web servers and abusing Googlebot-driven indexing. The campaign has been active since at least August 2024, has affected 65 sites and dozens of websites across Brazil, Vietnam, and Thailand, and uses tools including Rungan, Gamshen, EfsPotato, and BadPotato. The activity matters because it turns legitimate IIS infrastructure into a hidden traffic-control layer that can manipulate search results and silently redirect victims.

Related Happenings

Indirect prompt-injection web campaigns targeting AI agents

Campaign
H score37 First: 06.07.2026 18:00 Last: 06.07.2026 18:00 Sources 1

About this happening: **Two real-world campaigns** are using **indirect prompt injection** and **SEO poisoning** to steer **AI agents** into fraudulent actions and false legitimacy judgments. The lures...

OP-512 Microsoft IIS espionage campaign

Campaign
H score52 First: 05.06.2026 15:33 Last: 05.06.2026 15:33 Sources 1

About this happening: **OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...

NGINX and Apache HTTPD HTTP/2 Bomb mitigations

Advisory/Mitigation
H score46 First: 03.06.2026 11:33 Last: 03.06.2026 11:33 Sources 1

About this happening: Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...

SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets

Campaign
H score39 First: 01.05.2026 17:02 Last: 01.05.2026 17:02 Sources 1

About this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...

Vidar infostealer market rise and distribution expansion

Malware Activity
H score30 First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Timeline

  1. 30.01.2026 14:08 6 articles · 5mo ago

    BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam

    Initial Disclosure

    Initial compromise on **IIS servers** was followed by deployment of **BadIIS** to hijack web traffic and support **SEO fraud**. The early malware stage focused on crawler redirection and malicious content injection before region-specific variants were introduced.

    Show sources