UAT-8099 IIS SEO fraud campaign targeting vulnerable Asia-based IIS servers
Campaign
Summary
Hide ▲
Show ▼
UAT-8099 launched a late 2025 to early 2026 campaign against vulnerable IIS servers across Asia, with the strongest concentration in Thailand and Vietnam. The operation used web shells, PowerShell, and GotoHTTP to gain remote access and maintain control. It also deployed BadIIS variants to drive SEO fraud while hiding activity with legitimate and red-team tools. The shift toward a more regional focus and stealthier tooling raises the likelihood of sustained abuse of exposed IIS servers.
Related Happenings
MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
**MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater broad cyber-espionage campaign across sectors and countries
CampaignAbout this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
UAT-8302 government-targeting campaign across South America and southeastern Europe
Campaign
First: 05.05.2026 17:19
Last: 05.05.2026 17:19
Sources 1
About this happening:
The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
UAT-8302 government-targeting campaign across South America and southeastern Europe
CampaignAbout this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Campaign
First: 01.05.2026 17:02
Last: 01.05.2026 17:02
Sources 1
About this happening:
**SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
CampaignAbout this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
ClickFix DNS-based nslookup staging campaign
Campaign
First: 15.02.2026 16:10
Last: 15.02.2026 16:10
Sources 1
About this happening:
The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...
ClickFix DNS-based nslookup staging campaign
CampaignAbout this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware Activity
First: 30.01.2026 14:08
Last: 30.01.2026 14:08
Sources 1
How related:
The attacks involve infecting the servers with a known malware referred to as BadIIS.
About this happening:
**BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware ActivityHow related: The attacks involve infecting the servers with a known malware referred to as BadIIS.
About this happening: **BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
Timeline
-
30.01.2026 14:08 2 articles · 3mo ago
UAT-8099 IIS SEO fraud campaign targeting vulnerable Asia-based IIS servers
Initial DisclosureIn the first observed phase, **UAT-8099** obtained access to **IIS servers** through vulnerable upload features or weak settings and then used **web shells** plus **PowerShell** to run scripts. The actor followed that with **GotoHTTP** deployment and hidden accounts such as **admin$** to establish persistence before activating **BadIIS** for SEO fraud.
Show sources
- China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware — thehackernews.com — 30.01.2026 14:08
- China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware — thehackernews.com — 30.01.2026 14:08