{ "id": "390d5661-5ea1-4466-87bb-bf6b6c83490b", "created_at": "2026-04-06T00:18:03.336545Z", "updated_at": "2026-04-10T03:36:23.141915Z", "deleted_at": null, "sha1_hash": "8d87806e66bdf36224e2880dd3d2962b97749dac", "title": "UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6699920, "plain_text": "UAT-8099: Chinese-speaking cybercrime group targets high-value\r\nIIS for SEO fraud\r\nBy Joey Chen\r\nPublished: 2025-10-02 · Archived: 2026-04-02 12:44:26 UTC\r\nThursday, October 2, 2025 06:00\r\nCisco Talos is disclosing details on UAT-8099, a Chinese-speaking cybercrime group mainly involved in\r\nsearch engine optimization (SEO) fraud and theft of high-value credentials, configuration files, and\r\ncertificate data. \r\nCisco’s file census and DNS analysis show affected Internet Information Services (IIS) servers in India,\r\nThailand, Vietnam, Canada, and Brazil, targeting organizations such as universities, tech firms and telecom\r\nproviders. \r\nUAT-8099 manipulates search rankings by focusing on reputable, high-value IIS servers in targeted\r\nregions. \r\nThe group maintains persistence and alters SEO rankings using web shells, open-source hacking tools,\r\nCobalt Strike, and various BadIIS malware; their automation scripts are customized to evade defenses and\r\nhide activity. \r\nTalos found several new BadIIS malware samples in this campaign on VirusTotal this year — one cluster\r\nwith very low detection and another containing simplified Chinese debug strings. \r\nIn April 2025, Cisco Talos identified a Chinese-speaking cybercrime group, tracked as UAT-8099, which targets a\r\nbroad range of vulnerable IIS servers across specific regions. This group focuses on high-value IIS servers that\r\nhave a good reputation within these areas to manipulate search engine results for financial gain.  \r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 1 of 29\n\nUAT-8099 operates as a cybercrime group conducting SEO fraud. Additionally, UAT-8099 uses Remote Desktop\r\nProtocol (RDP) to access IIS servers and search for valuable data such as logs, credentials, configuration files and\r\nsensitive certificates, which they package for possible resale or further exploitation. \r\nUpon discovering a vulnerability in a target server, the group uploads a web shell to collect system information\r\nand conduct reconnaissance on the host network. They then enable the guest account, escalate its privileges to\r\nadministrator level, and use this account to enable RDP. For persistence, they combine RDP access with SoftEther\r\nVPN, EasyTier (a decentralized virtual private network tool) and FRP reverse proxy tool. Subsequently, the group\r\nperforms further privilege escalation using shared tools to gain system-level permissions and install BadIIS\r\nmalware. To secure their foothold, they deploy defense mechanisms to prevent other threat actors from\r\ncompromising the same server or disrupting their setup.\r\nThis blog post provides a comprehensive overview of the campaign’s victimology, including the regions affected\r\nand the potential consequences of BadIIS infections. It also details the attack chain, automation scripts employed,\r\nand the malware and shared hacking tools UAT-8099 commonly uses.\r\nVictimology \r\nBased on Cisco's file census and DNS traffic analysis, the affected IIS server regions include India, Thailand,\r\nVietnam, Canada and Brazil. The targeted IIS servers are owned by organizations such as universities, technology\r\ncompanies and telecommunications providers. The compromised IIS servers redirect users to unauthorized\r\nadvertisements or illegal gambling websites. The languages used on these websites assists with identifying the\r\ntargeted regions or countries. While Talos observed that most victims were located within the same region as the\r\ncompromised servers, some victims were affected when accessing compromised servers in different regions.\r\nFigure 1. Gambling websites in Thai, Portuguese and English.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 2 of 29\n\nThe majority of their targets are mobile users, encompassing not only Android devices but also Apple iPhone\r\ndevices.\r\nFigure 2. Gambling Android Package Kit (APK) download site.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 3 of 29\n\nFigure 3. Gambling iOS app download site.\r\nAttack chain \r\nIn this campaign, the UAT-8099 group took advantage of weak settings in the web server’s file upload feature.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 4 of 29\n\nFigure 4. UAT-8099 attack chain flowchart.\r\nThe target web server allowed users to upload files to the server, but did not restrict the file type, which allowed\r\nUAT-8099 to upload the web shell. This established initial access and gave them control over the compromised\r\nserver. The following is the detected location of the web shell used in this campaign, which is identified as the\r\nopen-source “ASP.NET Web BackDoor” web shell:\r\nC:/inetpub/wwwroot/[REDACTED]/Html/hw/server.ashx\r\nAfter dropping the web shell, Talos observed the actor utilizing it to execute commands such as ipconfig, whoami,\r\narp and tasklist to collect system information and discover the host network information. Once the collection of\r\ninformation is complete, UAT-8099 enables the guest account, setss a password, and elevate the guest user\r\nprivileges to administrator level, including the ability to access the system using RDP. Then, the actor uses another\r\ncommand to identify the network ports on which the TermService (Remote Desktop Services) process is actively\r\nlistening. After completing creating a guest account and enabling the RDP on that target IIS server, the actor\r\ncreated a hidden account “admin$” and added it to Administrator permission privilege for long-term persistence.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 5 of 29\n\nCommand  MITRE \r\ncmd /c net user guest /active:yes \u0026 net user guest P@ssw0rd \u0026 net localgroup administrators\r\nguest /add \u0026 net localgroup Remote Desktop Users guest /add \r\nT1136.001 \r\ncmd /c cd /d C:/Windows/SysWOW64/inetsrv/\u0026for /f tokens=2 %i in ('tasklist /FI SERVICES\r\neq TermService /NH') do netstat -ano | findstr %i | findstr LISTENING 2\u003e\u00261 \r\nT1049 \r\nT1007 \r\nT1057 \r\ncmd /c net user admin$ P@ssw0rd /add  T1136.001 \r\ncmd /c net localgroup Administrators admin$ /add  T1098 \r\ncmd.exe /C net user test [REDACTED] /add   T1136.001 \r\ncmd.exe /C net localgroup administrators test /add   T1098 \r\nTable 1. Initial access, reconnaissance and addition of user credentials.\r\nTo maintain access to the target IIS server and install the BadIIS malware for SEO fraud, Talos observed the actor\r\ncompleting three steps to achieve persistence, escalate privileges, install malware and build a self-defense\r\nsolution: \r\n1. UAT-8099 is deploying SoftEther VPN, EasyTier (a decentralized virtual private network tool) and fast\r\nreverse proxy (FRP). This setup enabled them to use RDP remotely to control the server.  \r\n2. The actor also leveraged a shared public tool to escalate privileges on the IIS server. They then used\r\nProcdump to extract victim credentials, which were subsequently compressed with WinRAR. We assess\r\nthat these actions were taken to finalize the installation of BadIIS for their SEO fraud activities.  \r\n3. The actor installed D_Safe_Manage, a well-known Windows IIS security tool, to prevent other attackers\r\nfrom compromising the server and tampering with their BadIIS setup.\r\nCommand  MITRE \r\ncmd /c C:/Users/Public/Libraries/install_VPN.bat  T1059.003 \r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 6 of 29\n\nC:\\Users\\Public\\Libraries\\mass.exe -c C:\\Users\\Public\\Libraries\\config.yaml  T1133 \r\ncmd.exe /C frpc.exe -c frpc.ini   T1133 \r\ncmd /c C:/Users/Public/Music/mess.exe /install  T1133 \r\nC:\\Users\\Public\\Videos\\a.exe   T1548 \r\nC:\\Users\\Public\\Videos\\D_Safe_Manage.exe  N/A \r\nC:/Users/Public/Videos/xmiis32.dll  T1496 \r\nC:/Users/Public/Videos/xmiis64.dll  T1496 \r\nC:/Users/admin$/Desktop/procdump.exe -accepteula -ma lsass.exe lsass.dmp   T1003 \r\nC:\\Program Files\\WinRAR\\WinRAR.exe a -ep1 -scul -r0 -iext -- Videos.rar\r\nC:\\Users\\Public\\Videos\\system.hive C:\\Users\\Public\\Videos\\sam.hive \r\nT1560 \r\nTable 2. Installation of tools, dumping user credentials for exfiltration and securing the installation.\r\nTalos did not only observe UAT-8099 conducting SEO fraud, but also stealing high-value credentials,\r\nconfiguration files and certificate data. After successfully compromising the target IIS server and deploying their\r\nBadIIS tool, their next step was to search for valuable credentials, configuration files, and certificate data within\r\nthe compromised system.\r\nThe commands Talos observed indicate the actor utilizes RDP to access the IIS server. Once inside, they leverage\r\nthe 'Everything' graphical user interface (GUI) tool — a fast filename search engine for Windows — to locate\r\nhigh-value data such as logs, credentials, configuration files and sensitive certificates. Upon identifying relevant\r\nfiles, the actor used Notepad to review the content and employed Windows Crypto Shell Extensions (via\r\nrundll32.exe cryptext.dll) to open and inspect .crt certificate files, examining their properties and details.\r\nFinally, all collected high-value files were consolidated into a hidden directory, specifically\r\n“Users\\admin$\\Desktop\\loade\\”. These files were then archived using WinRAR before being exfiltrated to the\r\nactor.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 7 of 29\n\nCommand  MITRE \r\nC:\\Users\\admin$\\Desktop\\Everything.exe -enable-run-as-admin  T1083 \r\nC:\\Windows\\system32\\NOTEPAD.EXE C:\\[REDACTED]Log\\10-09-2024.txt  T1005 \r\nC:\\Windows\\system32\\NOTEPAD.EXE C:\\[REDACTED]Log\\19-03-2025.txt  T1005 \r\nC:\\Windows\\system32\\NOTEPAD.EXE E:\\[REDACTED]-csr\\[REDACTED]-csr.txt  T1649 \r\nC:\\Windows\\system32\\rundll32.exe cryptext.dll,CryptExtOpenCER E:\\.[REDACTED]-\r\ncsr\\STAR_[REDACTED]\\AAACertificateServices.crt \r\nT1649 \r\nC:\\Windows\\system32\\rundll32.exe cryptext.dll,CryptExtOpenCER E:\\.[REDACTED]-\r\ncsr\\STAR_[REDACTED]\\SectigoRSADomainValidationSecureServerCA.crt \r\nT1649 \r\nC:\\Windows\\system32\\rundll32.exe cryptext.dll,CryptExtOpenCER E:\\.[REDACTED]-\r\ncsr\\STAR_[REDACTED]\\STAR_[REDACTED].crt \r\nT1649 \r\nC:\\Windows\\system32\\rundll32.exe cryptext.dll,CryptExtOpenCER E:\\.[REDACTED]-\r\ncsr\\STAR_[REDACTED]\\USERTrustRSAAAACA.crt \r\nT1649 \r\nC:\\Windows\\system32\\rundll32.exe cryptext.dll,CryptExtOpenCER\r\nE:\\AAACertificateServices.crt \r\nT1649 \r\nC:\\Windows\\system32\\rundll32.exe cryptext.dll,CryptExtOpenCER\r\nE:\\SectigoRSADomainValidationSecureServerCA.crt \r\nT1649 \r\nC:\\Windows\\system32\\rundll32.exe cryptext.dll,CryptExtOpenCER\r\nE:\\USERTrustRSAAAACA.crt \r\nT1649 \r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 8 of 29\n\nC:\\Windows\\system32\\NOTEPAD.EXE C:\\Users\\admissionportal\\Desktop\\\r\n[REDACTED]_DB_UPDATE.txt \r\nT1528 \r\nC:\\Program Files\\Notepad++\\notepad++.exe C:\\Users\\Administrator\\.gitconfig  T1528 \r\nC:\\Program Files\\Notepad++\\notepad++.exe C:\\Users\\Administrator\\.aws\\config  T1528 \r\nC:\\Program Files\\Notepad++\\notepad++.exe C:\\Users\\Administrator\\.aws\\credentials  T1649 \r\nC:\\Windows\\system32\\NOTEPAD.EXE C:\\Users\\Administrator\\OneDrive -\r\n[REDACTED]\\website\\[REDACTED]-website\\.gitignore \r\nT1528 \r\nC:\\Program Files\\Notepad++\\notepad++.exe\r\nC:\\Users\\Administrator\\AppData\\Roaming\\S3Browser\\accounts.xml \r\nT1528 \r\nC:\\Windows\\system32\\NOTEPAD.EXE C:\\Windows\\debug\\PASSWD.LOG  T1528 \r\nC:\\Windows\\system32\\NOTEPAD.EXE C:\\inetpub\\wwwroot\\Html-\r\n[REDACTED]\\Html\\images\\passwd_web.xml \r\nT1528 \r\nC:\\Windows\\system32\\NOTEPAD.EXE C:\\Users\\\r\n[REDACTED]\\AppData\\Local\\Google\\Chrome\\d_emxqyvq\\ZxcvbnData\\3\\passwords.txt \r\nT1528 \r\nC:\\Windows\\system32\\NOTEPAD.EXE\r\nC:\\Users\\admin$\\AppData\\Roaming\\S3Browser\\logs\\s3browser-win32-2025-04-24-log.txt \r\nT1528 \r\nC:\\Windows\\system32\\NOTEPAD.EXE C:\\Users\\admin$\\AppData\\Roaming\\S3Browser\\s3\r\nbrowser.settings-v3 \r\nT1528 \r\nC:\\Program Files\\WinRAR\\WinRAR.exe x -iext -ow -ver -- C:\\Users\\admin$\\Desktop\\loade.zip\r\nC:\\Users\\admin$\\Desktop\\loade\\ \r\nT1560 \r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 9 of 29\n\nTable 3. Searching and preparing credentials and certificates for exfiltration.\r\nAutomation script used \r\nTalos also observed UAT-8099 dropping and executing three batch script files in some attacks to automate their\r\ntasks or to set up the compromised server for persistence and SEO fraud. The first script is for IIS module\r\ninstallation, as documented in Talos DragonRank and Trend Micro blog posts.\r\nC:\\Windows\\system32\\cmd.exe /c C:\\ProgramData\\iis.bat\r\nFigure 5. Setting up the server for persistence and SEO fraud.\r\nThe second script is for configuring RDP settings and related network activity on a Windows system, including\r\npast RDP usage, the RDP listening port, the status of the RDP service, associated network activity, and to\r\nconfigure the Windows firewall to allow RDP.\r\nC:\\Windows\\system32\\cmd.exe /c C:\\ProgramData\\fuck.bat\r\nFigure 6. Configuring RDP settings to allow incoming connections.\r\nThe third set of scripts is designed to establish and immediately trigger a persistent, high privilege scheduled task\r\nusing “inetinfo.exe”, and then list all system scheduled tasks. The inetinfo.exe is a legitimate file “WMI V2\r\nprovider code generation tool” that is used by the actor to do DLL sideloading and run the Cobalt Strike in\r\nmemory. The detailed Cobalt Strike analysis will be described in the next section.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 10 of 29\n\nC:\\Windows\\system32\\cmd.exe /c C:\\ProgramData\\1.bat\r\nFigure 7. inetinfo.exe is used to sideload a Cobalt Strike beacon.\r\nUser-defined reflective loader of Cobalt Strike beacon \r\nTalos observed UAT-8099 utilized Cobalt Strike as their backdoor in this campaign. They employed DLL\r\nsideloading as a method to execute the backdoor and also established a scheduled task to maintain persistence on\r\nthe compromised systems.\r\nFigure 9. Cobalt Strike beacon execution diagram.\r\nThe encrypted first-stage payload is embedded within the wmicodegen.dll file. When this DLL is loaded by the\r\nlegitimate WMI V2 provider code generation tool, it uses the VirtualQuery API to allocate a block of memory\r\nspecifically for this first-stage payload.\r\nFigure 10. Uses VirtualQuery API to load first-stage payload.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 11 of 29\n\nAfter decrypting the first stage payload, we can see both the second stage payload combined with a small piece of\r\nshellcode, and the third stage payload, which is encrypted and encoded with Base64.\r\nFigure 11. The second stage payload.\r\nWhen jumping into the third stage payload, we observed it is a DLL file but without the original PE header. We\r\nalso identify this third stage payload as the User-Defined Reflective Loader for the Cobalt Strike beacon. The\r\nerased original PE header and heavy obfuscation in each stage are consistent with the blog description. In\r\naddition, the machine information collection structure is also the same as the beacon structure such as listener\r\nname, computer name, username and process name. The listener name in this campaign is PUBG.\r\nFigure 12. Beacon structure with the listener name PUBG.\r\nMost importantly, the DLL file contains the “udrl.x64.dll” and “customLoader” inside that also match with the\r\nUser-Defined Reflective Loader blog description. Using a URL that mimics a legitimate content delivery network\r\n(CDN), along with ports and paths typical of Exchange servers, enables the attacker to blend in with normal\r\nnetwork traffic and avoid detection by security analysts.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 12 of 29\n\nFigure 13. “udrl.x64.dll” and “customLoader” embedded.\r\nFigure 14. Beacon C2 connection information.\r\nNew BadIIS variant  \r\nTalos' analysis of the BadIIS variants used in this campaign revealed functional and URL pattern similarities to a\r\nvariant previously documented in the Black Hat USA 2021 white paper and a Trend Micro blog. However, this\r\nnew BadIIS malware has altered its code structure and functional workflow to evade detection by antivirus\r\nproducts. Additionally, we identified several instances of the BadIIS malware on VirusTotal this year. One cluster\r\nexhibited very low detection rates and the other showed simplified Chinese debug strings inside the malware.\r\nFigure 15. First cluster of new BadIIS with low detection rates.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 13 of 29\n\nFigure 16. Second cluster of new BadIIS with simplified Chinese debug strings.\r\nFirst cluster of new BadIIS\r\nThe first cluster of new BadIIS malware implements handlers named “CHttpModule::OnBeginRequest” and\r\n“CHttpModule::OnSendResponse”. Both handlers use the \"User-Agent\" and \"Referer\" fields from the incoming\r\nHTTP headers to determine which malicious function to execute. Specifically, this malware targets requests where\r\nthe \"User-Agent\" is Googlebot and the \"Referer\" is google.com, confirming that the user and crawler accessed the\r\ncompromised website via the Google search engine only. Below, we describe how the malicious functions,\r\nincluding proxy, injector and SEO fraud, trigger.\r\nSEO manipulation schemes \r\nThe OnBeginRequest handler processes incoming requests by examining the \"User-Agent\" and \"Referer\" HTTP\r\nheaders to proxy or Injector responses. When the request is detected as originating from Googlebot and meets a\r\nspecific URL path condition, the request is forwarded through a Proxy function. The targeted URL path pattern is\r\nas follows:\r\nnews|cash|bet|gambling|betting|casino|fishing|deposit|bonus|sitemap|app|ios|video|games|xoso|dabong|n\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 14 of 29\n\nAlternatively, if the request is not from Googlebot, the system then checks if it was referred by a Google search\r\nand if the same URL path condition is satisfied, in which case it proceeds to inject JavaScript. The injected\r\nJavaScript embeds a C2 URL such as “http://[C2]/jump.html” or “http://[C2]/pg888.js”. This injection enables the\r\nactor to compromise users’ browsers by downloading malicious scripts from the C2 server.\r\nFigure 17. OnBeginRequest handler.\r\nFigure 18. Proxy mode.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 15 of 29\n\nFigure 19. Injector mode.\r\nThe OnSendResponse handler first performs SEO fraud by delivering specific content from C2 server to requests\r\nwhere the \"User-Agent\" is Googlebot, manipulating search rankings to increase the visibility of the malicious\r\ncontent. This C2 content typically appears as a URL like “http://[C2]/u.php”. Subsequently, the function targets\r\nhuman users by conditionally injecting JavaScript when a request comes from a Google search and results in a\r\n404 or 500 error page.\r\nFigure 20. OnSendResponse handler.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 16 of 29\n\nFigure 21. SEO fraud mode.\r\nTechnical highlights of each mode\r\nProxy mode\r\nWhen operating in proxy mode, BadIIS first verifies the URL path to ensure the process is running in the correct\r\nmode. It then extracts the embedded C2 server address, which is encoded in hexadecimal bytes, and uses this C2\r\nas a proxy to retrieve content from a secondary C2 server, subsequently responding to the IIS server.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 17 of 29\n\nFigure 22. Use C2 server as a proxy.\r\nBefore responding to the Google crawler, it modifies the response data to resemble a valid HTTP response and\r\nuses the native HTTP module API \"WriteEntityChunks\" to insert data into the body of the HTTP response.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 18 of 29\n\nFigure 23. Using ”WriteEntityChunks” to insert data into the body of the HTTP response.\r\nSEO fraud mode \r\nTalos identified that the actor employs a conventional SEO technique known as backlinking to boost website\r\nvisibility. Google's search engine uses backlinks to discover additional sites and assess keyword relevance. A\r\nhigher number of backlinks increases the likelihood of Google crawlers visiting a site, which can accelerate\r\nranking improvements and enhance exposure for the webpages. However, simply accumulating backlinks without\r\nregard to quality can lead to penalties from Google. Algorithms like Penguin, introduced in 2012, and SpamBrain,\r\nlaunched in 2022, rigorously evaluate backlink quality. To exploit this, the actor compromises multiple IIS servers\r\nacross the internet to conduct SEO fraud. In this SEO fraud mode, BadIIS serves numerous backlinks with HTML\r\ncontent to Google crawlers to improve search engine rankings.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 19 of 29\n\nFigure 24. Retrieving backlinks containing HTML content.\r\nOne example of a backlink from the C2 server is shown in Figure 25, with additional compromised IIS servers\r\nperforming similar backlink SEO fraud.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 20 of 29\n\nFigure 25. Backlinks from the C2 server.\r\nInjector mode \r\nIn injector mode, BadIIS intercepts browser requests originating from Google search results. It connects to the C2\r\nserver to retrieve JavaScript code, then uses the “WriteEntityChunks” API to embed the downloaded JavaScript\r\ninto the HTML content of the response. It then returns the altered response to redirect the user to the destination\r\nintended by the actor.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 21 of 29\n\nFigure 26. Injecting JavaScript code to response data.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 22 of 29\n\nFigure 27. Fetching JavaScript code from C2 server.\r\nBadIIS retrieves malicious JavaScript code from a C2 server and redirects users to malicious websites instead of\r\nlegitimate ones. By not embedding the JavaScript code directly in the binary, it allows easier modification of the\r\nredirect targets and helps evade detection by antivirus security products. The script is programmed to show a brief\r\nloading message before automatically redirecting the user to a malicious site. The redirect function and alert\r\nmessage vary across different C2 servers; some scripts reference two C2 servers and randomly select one with a\r\n50% probability. Additionally, the alert message language is tailored to match the target region of the user.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 23 of 29\n\nFigure 28. JavaScript code with alert message in Portuguese.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 24 of 29\n\nFigure 29. Two different C2 servers in JavaScript code.\r\nSecond cluster of new BadIIS \r\nThe second cluster of the new BadIIS malware also includes handlers named “CHttpModule::OnBeginRequest”\r\nand “CHttpModule::OnSendResponse”. In this cluster, OnBeginRequest is used as a decision point to execute\r\nbefore any intensive processing occurs, while OnSendResponse handles output modification to ensure that no\r\nother module can override the redirect. This cluster also features three modes: SEO fraud mode, injector mode and\r\nproxy mode. Notably, the injector and proxy modes operate under the SEO fraud mode umbrella, which itself has\r\nfour variants tailored to different scenarios: \r\nAll interface hijacking targets all webpages on the webserver, replacing original content for both search\r\nengine crawlers and users.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 25 of 29\n\nFigure 30. All interface hijacking.\r\nHomepage hijacking targets only the homepage, substituting its content for search engine crawlers and\r\nusers.\r\nFigure 31. Homepage hijacking.\r\nGlobal reverse proxy configures a proxy to automatically replace content for search engine crawlers and\r\nusers.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 26 of 29\n\nFigure 32. Global reverse proxy.\r\nSpecify URL path reverse proxy configures a proxy to automatically replace content for search engine\r\ncrawlers and users.\r\nFigure 33. Specify URL path reverse proxy.\r\nThe URL path pattern referred to as “Tezhengma” in the debug strings by the actor includes multiple versions.\r\nSome of these versions partially match the patterns found in the first cluster of BadIIS malware.\r\nxxm|dabo|lingdu|images\r\ncash|bet|gambling|betting|casino|fishing|deposit|bonus\r\nnews|cash|bet|gambling|betting|casino|fishing|deposit|bonus|sitemap\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 27 of 29\n\nnews|cash|bet|gambling|betting|casino|fishing|deposit|bonus|sitemap|app|ios|video|games|xoso|dabong|n\r\napp|news|ios|android|cash|bet|gambling|betting|casino|fishing|deposit|bonus|sitemap|qsj|rna|muv|zop|v\r\nThe injector mode injects JavaScript in each SEO fraud type when the user-agent and referer do not match its\r\ncriteria. The algorithm is same as the first cluster BadIIS; it verifies the user-agent to identify search engine\r\ncrawlers and checks the referer to determine if the user is browsing from an expected source.\r\nBaiduspider \r\nSogouspider \r\nSogou web spider \r\n360spider \r\nYisouSpider \r\nGooglebot \r\nBingbot \r\nBingPreview \r\nMicrosoftPreview \r\nbaidu \r\nsogou \r\nsm[.]cn \r\n360 \r\nso[.]com \r\ntoutiao \r\ngoogle \r\nbing \r\nTable 4. Combination of User-Agent and Referer headers used for injecting JavaScript to redirect the browser.\r\nCoverage  \r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 28 of 29\n\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device. \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nCisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust\r\nprinciples.  Secure Access provides seamless transparent and secure access to the internet, cloud services or\r\nprivate application no matter where your users work.  Please contact your Cisco account representative or\r\nauthorized partner if you are interested in a free trial of Cisco Secure Access. \r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork. \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. Snort SIDs for the threats are: 65346, 65345\r\nClamAV detections are also available for this threat:\r\nWin.Malware.SysShell-10058032-0\r\nWin.Malware.NewBadIIS-10058033-0\r\nWin.Malware.BadIISCR45-10058034-0\r\nWin.Malware.WebShellCn-10058035-0\r\nWin.Packed.CSBeaconCn-10058036-0\r\nIndicators of compromise (IOCs)\r\nThe IOCs can also be found in our GitHub repository here.\r\nSource: https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nhttps://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/\r\nPage 29 of 29", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/" ], "report_names": [ "uat-8099-chinese-speaking-cybercrime-group-seo-fraud" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0e62ad61-c51d-460e-a587-b11d17bb2fb3", "created_at": "2024-10-04T02:00:04.754794Z", "updated_at": "2026-04-10T02:00:03.712878Z", "deleted_at": null, "main_name": "DragonRank", "aliases": [], "source_name": "MISPGALAXY:DragonRank", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8d33d51a-e365-4768-89f7-8be2d174e2c8", "created_at": "2026-02-04T02:00:03.70754Z", "updated_at": "2026-04-10T02:00:03.950274Z", "deleted_at": null, "main_name": "UAT-8099", "aliases": [], "source_name": "MISPGALAXY:UAT-8099", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434683, "ts_updated_at": 1775792183, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8d87806e66bdf36224e2880dd3d2962b97749dac.pdf", "text": "https://archive.orkl.eu/8d87806e66bdf36224e2880dd3d2962b97749dac.txt", "img": "https://archive.orkl.eu/8d87806e66bdf36224e2880dd3d2962b97749dac.jpg" } }