UAT-8099 IIS SEO fraud campaign targeting vulnerable Asia-based IIS servers
Campaign
Summary
Hide ▲
Show ▼
UAT-8099 launched a late 2025 to early 2026 campaign against vulnerable IIS servers across Asia, with the strongest concentration in Thailand and Vietnam. The operation used web shells, PowerShell, and GotoHTTP to gain remote access and maintain control. It also deployed BadIIS variants to drive SEO fraud while hiding activity with legitimate and red-team tools. The shift toward a more regional focus and stealthier tooling raises the likelihood of sustained abuse of exposed IIS servers.
Related Happenings
CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT
Campaign
H score18
First: 26.06.2026 13:30
Last: 26.06.2026 13:30
Sources 1
About this happening:
A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...
CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT
CampaignAbout this happening: A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...
OP-512 Microsoft IIS espionage campaign
Campaign
H score52
First: 05.06.2026 15:33
Last: 05.06.2026 15:33
Sources 1
About this happening:
**OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...
OP-512 Microsoft IIS espionage campaign
CampaignAbout this happening: **OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...
MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
H score37
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
**MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater broad cyber-espionage campaign across sectors and countries
CampaignAbout this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
UAT-8302 government-targeting campaign across South America and southeastern Europe
Campaign
H score28
First: 05.05.2026 17:19
Last: 05.05.2026 17:19
Sources 1
About this happening:
The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
UAT-8302 government-targeting campaign across South America and southeastern Europe
CampaignAbout this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Campaign
H score39
First: 01.05.2026 17:02
Last: 01.05.2026 17:02
Sources 1
About this happening:
**SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
CampaignAbout this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
Timeline
-
30.01.2026 14:08 2 articles · 5mo ago
UAT-8099 IIS SEO fraud campaign targeting vulnerable Asia-based IIS servers
Initial DisclosureIn the first observed phase, **UAT-8099** obtained access to **IIS servers** through vulnerable upload features or weak settings and then used **web shells** plus **PowerShell** to run scripts. The actor followed that with **GotoHTTP** deployment and hidden accounts such as **admin$** to establish persistence before activating **BadIIS** for SEO fraud.
Show sources
- China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware — thehackernews.com — 30.01.2026 14:08
- China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware — thehackernews.com — 30.01.2026 14:08