Find notable cyber news and cases, enriched with sources, timelines, and signals.

UAT-8099 IIS SEO fraud campaign targeting vulnerable Asia-based IIS servers

Campaign
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

UAT-8099 launched a late 2025 to early 2026 campaign against vulnerable IIS servers across Asia, with the strongest concentration in Thailand and Vietnam. The operation used web shells, PowerShell, and GotoHTTP to gain remote access and maintain control. It also deployed BadIIS variants to drive SEO fraud while hiding activity with legitimate and red-team tools. The shift toward a more regional focus and stealthier tooling raises the likelihood of sustained abuse of exposed IIS servers.

Related Happenings

CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT

Campaign
H score18 First: 26.06.2026 13:30 Last: 26.06.2026 13:30 Sources 1

About this happening: A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...

OP-512 Microsoft IIS espionage campaign

Campaign
H score52 First: 05.06.2026 15:33 Last: 05.06.2026 15:33 Sources 1

About this happening: **OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
H score37 First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

UAT-8302 government-targeting campaign across South America and southeastern Europe

Campaign
H score28 First: 05.05.2026 17:19 Last: 05.05.2026 17:19 Sources 1

About this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...

SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets

Campaign
H score39 First: 01.05.2026 17:02 Last: 01.05.2026 17:02 Sources 1

About this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...

Timeline

  1. 30.01.2026 14:08 2 articles · 5mo ago

    UAT-8099 IIS SEO fraud campaign targeting vulnerable Asia-based IIS servers

    Initial Disclosure

    In the first observed phase, **UAT-8099** obtained access to **IIS servers** through vulnerable upload features or weak settings and then used **web shells** plus **PowerShell** to run scripts. The actor followed that with **GotoHTTP** deployment and hidden accounts such as **admin$** to establish persistence before activating **BadIIS** for SEO fraud.

    Show sources