{
	"id": "d0fb2312-a9e6-4b31-be80-8fcaa7c8afe0",
	"created_at": "2026-04-06T00:21:42.408863Z",
	"updated_at": "2026-04-10T13:11:59.263732Z",
	"deleted_at": null,
	"sha1_hash": "eacdf4292acf782e604c8a250955b3a0d0a1b630",
	"title": "Dissecting UAT-8099: New persistence mechanisms and regional focus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1757307,
	"plain_text": "Dissecting UAT-8099: New persistence mechanisms and regional\r\nfocus\r\nBy Joey Chen\r\nPublished: 2026-01-29 · Archived: 2026-04-05 13:25:07 UTC\r\nThursday, January 29, 2026 06:00\r\nCisco Talos has identified a new campaign by UAT-8099, active from late 2025 to early 2026, that\r\nis targeting vulnerable Internet Information Services (IIS) servers across Asia with a specific focus on\r\nvictims in Thailand and Vietnam. \r\nAnalysis confirms significant operational overlaps between this activity and the WEBJACK campaign.\r\nThis includes critical indicators of compromise including malware hashes, command and control (C2), and\r\nvictimology. \r\nUAT-8099 uses web shells and PowerShell to execute scripts and deploy the GotoHTTP tool, granting\r\nthe threat actor remote access to vulnerable IIS servers. \r\nNew variants of BadIIS now hardcode the target region directly into the malware, offering customized\r\nfeatures for each specific variant. These customizations include exclusive file extensions, corresponding\r\ndynamic page extensions, directory indexing configurations, and the ability to load HTML templates from\r\nlocal files. \r\nA Linux Executable and Linkable Format (ELF) variant of BadIIS was uploaded to VirusTotal on Oct.\r\n1, 2025. The malware includes proxy mode, injector mode, and search engine optimization (SEO) fraud\r\nmode, similar to what Talos described in the previous UAT-8099 blog.\r\nUAT-8099 new activity \r\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nPage 1 of 17\n\nCisco Talos observed new activity from UAT-8099 spanning from August 2025 through early 2026. Analysis of\r\nCisco's file census and DNS traffic indicates that compromised IIS servers are located across India, Pakistan,\r\nThailand, Vietnam, and Japan, with a distinct concentration of attacks in Thailand and Vietnam. Furthermore, this\r\nactivity significantly overlaps with the WEBJACK campaign; we have identified high-confidence correlations\r\nacross malware hashes, C2 infrastructure, victimology, and the promoted gambling sites.\r\nFigure 1. Content for crawlers.\r\nWhile the threat actor continues to rely on web shells, SoftEther VPN, and EasyTier to control compromised IIS\r\nservers, their operational strategy has evolved significantly. First, this latest campaign marks a shift in their black\r\nhat SEO tactics toward a more specific regional focus. Second, the actor increasingly leverages red team utilities\r\nand legitimate tools to evade detection and maintain long-term persistence.\r\nInfection chain \r\nUpon gaining initial access, the threat actor executes standard reconnaissance commands, such\r\nas  whoami  and  tasklist , to gather system information. Following this, they deploy VPN tools\r\nand establish persistence by creating a hidden user account named “admin$”. UAT-8099 has further expanded\r\ntheir arsenal with the several new tools below: \r\nSharp4RemoveLog: A .NET utility designed to clear all Windows event logs, effectively erasing forensic\r\ntraces \r\nCnCrypt Protect: A Chinese-language file-protection utility. In this intrusion activity, it is abused to hide\r\nmalicious files and facilitate dynamic-link library (DLL) redirection. This tool has been linked\r\nto previous IIS attacks since 2024, including SEO fraud campaigns targeting Vietnam and China, as well as\r\nthe WEBJACK campaign. \r\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nPage 2 of 17\n\nOpenArk64: An open source anti-rootkit. The threat actor uses its kernel-level access to terminate security\r\nproduct processes that are otherwise protected from deletion. \r\nGotoHTTP: An online remote control tool. The threat actor uses VBscript to deploy this tool and let them\r\nremote control the compromised server. Talos provides more detail in the following section.  \r\nSubsequently, the threat actor deploys two archive files containing the latest version of\r\nthe BadIIS malware. Notably, the file names of these archives are correlated with the specific geographic regions\r\ntargeted by the BadIIS malware; for example, “VN” denotes Vietnam and “TH” denotes Thailand.\r\nC:/Users/admin$/Desktop/TH.zip\r\nC:/Users/admin$/Desktop/VN.zip\r\n Following the publication of our previous research, Cisco Security products have widely\r\nflagged the “admin$” account name. In response, if this name is blocked, the threat actor  creates a new user\r\naccount named “mysql$” to maintain access and sustain the BadIIS SEO fraud service.\r\nFigure 2. New user account named “mysql$”.\r\nUsing the newly created account, the threat actor redeploys the updated BadIIS malware to the\r\ncompromised machines. Notably, this marks a strategic shift from broad, global targeting to specific regional\r\nfocus. This is evidencedby the directory naming conventions for the malware and its scripts, which use identifiers\r\nsuch as “VN” for Vietnam and “newth” for Thailand.\r\nC:/Users/mssql$/Desktop/VN/fasthttp.dll\r\nC:/Users/mssql$/Desktop/VN/cgihttp.dll\r\nC:/Users/mssql$/Desktop/VN/install.bat\r\nC:/Users/mssql$/Desktop/VN/uninstall.bat\r\nC:/Users/mssql$/Desktop/newth/iis32.dll\r\nC:/Users/mssql$/Desktop/newth/iis64.dll\r\nC:/Users/mssql$/Desktop/newth/install.bat\r\nC:/Users/mssql$/Desktop/newth/uninstall.bat\r\nAdditionally, Talos observed the UAT-8099 threat actor attempting to create alternative hidden accounts\r\nto maintain persistence. The specific commands used to create these accounts and execute subsequent actions are\r\ndetailed in Figures 3a, 3b, and 3c.\r\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nPage 3 of 17\n\nFigure 3a. New “admin1$” user account.\r\nFigure 3b. New “admin2$” user account.\r\nFigure 3c. New \"power$” user account. \r\nTalos has observed several instances where UAT-8099 uses a web shell to execute PowerShell commands,\r\nwhich subsequently download and run a malicious VBScript. This script is designed to deploy the GotoHTTP tool\r\nand exfiltrate the “gotohttp.ini” configuration file to the C2 server. This enables the threat actor to obtain the\r\nconnection ID and password necessary to remotely control the infected server.\r\nFigure 4. Executed commands to remotely control infected server.\r\nThe malicious script contains multiple functions, each annotated by the threat actor using Simplified Chinese and\r\nPinyin comments. We provide a detailed analysis of these functions below.\r\nThe code begins by initializing key parameters, including the download and upload URLs, file paths, and the\r\nexpected file size of “gotohttp.exe”. Notably, this initialization section is marked with the\r\ncomment “dingyichangliang” (定义常量), which translates to “Define Constants.”\r\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nPage 4 of 17\n\nFigure 5. Setup of the constant parameters.\r\nThe first functional block is marked with the comment “xiazaiwenjian” (下载文件), which translates\r\nto “Download File.” In this section, the code utilizes an  HTTP GET request to download the GotoHTTP tool,\r\nsaving it to the public folder as “xixixi.exe”.\r\nFigure 6. Downloading the GotoHTTP tool to the infected server. \r\nThe second and third function blocks are marked with the comments “jianchawenjian” (检查文\r\n件) and “jianchawenjian” (检查文件大小), translating to “Check File” and “Check File Size,\" respectively. In\r\nthese sections, the code verifies the integrity of the downloaded GotoHTTP tool by ensuring the file size exceeds\r\nthe threshold defined in the previous block. If the validation fails, the script sends an error message to the C2\r\nserver, reporting either“xiazaishibai” (下载失败 - Download Failed) or “daxiaobudui” (大小不对 - Incorrect\r\nSize).\r\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nPage 5 of 17\n\nFigure 7. Checking the GotoHTTP tool exists and its size is correct.\r\nThe fourth and fifth function blocks are marked with the comments “zhixingwenjian” (执行文\r\n件) and “jianchajieguo” (检查结果), translating to “Execute File” and “Check Result,” respectively. In these\r\nsections, the code executes the GotoHTTP tool in a hidden window without waiting for the process\r\nto terminate. Notably, the code uses Chr(34) to represent quotation marks, as indicated by the comments. This\r\ntechnique is employed to avoid syntax errors caused by improper escaping; using Chr(34) allows the insertion of\r\nthe double-quote character without breaking the code structure. \r\nFollowing a five-second sleep delay, the script attempts to upload the “gotohttp.ini” file to the C2 server. If the file\r\nis missing, it sends the error message “gotohttp.ini bucunzai” (gotohttp.ini 不存在 - gotohttp.ini does not exist).\r\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nPage 6 of 17\n\nFigure 8. Executing the GotoHTTP tool and uploading the configuration file.\r\nThe last function blocks are marked with the comment “qingli\" (清理), translating to “Clean.”. This section will\r\nclean up all the COM objects.\r\nFigure 9. Cleaning up COM objects.\r\nTwo new BadIIS malware to target specific region \r\nSince September 2025, Talos has observed two new variants of BadIIS appearing in the wild, both utilized for\r\nSEO fraud. While other vendors have observed these malware, this section provides a deep analysis based on our\r\nreverse engineering and infection chain assessment. We have determined that UAT-8099 customizes these new\r\ncluster BadIIS to target specific regions. The first cluster, which we have named BadIIS IISHijack, derives its\r\nname from the original malware file name. The second cluster, BadIIS asdSearchEngine, is named after the PDB\r\nstrings observed within the sample.\r\nE:\\原生DLL\\SearchEngine\\Release\\SearchEngine.pdb\r\nC:\\Users\\qwe\\source\\repos\\Dll1dasd\\x64\\Release\\Dll1dasd.pdb\r\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nPage 7 of 17\n\nBadIIS IISHijack primarily targets victims in Vietnam. This variant explicitly embeds the country code within its\r\nsource code and creates a specific directory named when the malware drops into the victim’s machine.\r\nFigure 10. BadIIS IISHijack version.\r\nBadIIS asdSearchEngine malware focuses on targets in Thailand or users with Thai language preferences. By\r\nusing the  CHttpModule::OnBeginRequest  handler, the malware hijacks incoming HTTP traffic and analyzes\r\nheaders such as “User-Agent” and “Referer” to determine its next move. A key addition to this version is the use\r\nof the “Accept-Language” header to verify the target region.\r\nFigure 11. Thai tag for the “Accept-Language\" field.\r\nWhen an infected IIS server receives a request, the malware first filters the file path. If the path contains an\r\nextension on its exclusion list, it ignores the request to preserve static resources. Next, it checks the “User-Agent” to see if the visitor is a search engine crawler (e.g., Googlebot, sogu, 360spider, or Baiduspider). If\r\nconfirmed, the crawler is redirected to an SEO fraud site. However, if the visitor is a standard user and the\r\nmalware verifies that the “Accept-Language” field indicates Thai, it injects HTML containing a malicious\r\nJavaScript redirect into the response.  \r\nWe have identified three distinct variants within this BadIIS cluster. While they share the core workflow described\r\nabove, each possesses unique features, which are detailed in the following section. Moreover, to evade detection,\r\nsome specific variants employ XOR encryption (key 0x7A) to obfuscate their C2 configuration and malicious\r\nHTML content.\r\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nPage 8 of 17\n\nFigure 12. Evading detection with XOR encryption.\r\nFigure 13. The injected JavaScript code.\r\nExclusive multiple extensions variant \r\nWhile many variants employ extensive exclusion lists, the specific extensions targeted can differ between\r\nthem. For the purpose of this analysis, we will use a representative example to illustrate the general functionality\r\nand strategy. Before executing its malicious payload, the new BadIIS variant inspects the URL path for specific\r\nfile extensions. This filtering mechanism serves three strategic objectives:  \r\nThe extensions (.png, .jpg, .css, .js, .woff, .ttf, .eot, and .otf) are critical for a website's appearance, layout,\r\nand interactive features. If the BadIIS were to indiscriminately redirect or tamper with requests for these\r\nessential assets, the website would quickly appear broken to users and administrators. \r\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nPage 9 of 17\n\nThe BadIIS likely uses filtering based on document type extensions (.pdf, .txt, .xml, .json, .doc, .docx,\r\n.xls, and .xlsx) and web-related files extensions (.manifest, .appcache, .webmanifest,\r\n.robots, and .sitemap) to focus its malicious injections (e.g., hidden links, keywords, malicious scripts) or\r\nredirect specifically on HTML pages or other content types that contribute to SEO rankings or user\r\ninteraction, while leaving static assets untouched. \r\nThe archive extensions (.zip, .rar, .7z, .tar, .gz) are filtered so that the BadIIS can conserve resources.\r\nFigure 14. Extensions list for filtering.\r\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nPage 10 of 17\n\nDynamic page extension/directory index variant \r\nAnother variant of BadIIS adds a validation function that checks if a requested path corresponds to a dynamic\r\npage extension or a directory index. This determines whether the request is routed to the malware's dynamic\r\nprocessing flow.\r\nWe assess that the threat actor, UAT-8099, implemented this feature to prioritize SEO content targeting\r\nwhile maintaining stealth. Since SEO poisoning relies on injecting JavaScript links into pages that search engines\r\ncrawl, the malware focuses on dynamic pages (e.g., default.aspx, index.php) where these injections are most\r\neffective. Furthermore, by restricting hooks to other specific file types, the malware avoids processing\r\nincompatible static files, thereby preventing the generation of suspicious server error logs. \r\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nPage 11 of 17\n\nFigure 15. Requested path corresponds to a dynamic page extension or a directory index.\r\nLoad HTML templates variant \r\nThe last variant of BadIIS contains a sophisticated HTML template generation system that dynamically creates\r\nweb content. It has a content generator that can load templates from disk or use embedded fallbacks, then\r\nperforms extensive placeholder replacement with random data, dates, and URL-derived content.\r\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nPage 12 of 17\n\nFigure 16. Template file paths to try loading from disk. \r\nIf there are no files found in the host, the BadIIS generates a response using an embedded HTML template,\r\npopulating a date placeholder with the local system time. Notably, the variable names within this HTML template\r\nare written in Chinese Pinyin. Below, Talos provides detailed translations of these variables. Analyzing these\r\nnames allows us to accurately determine how the dynamic template leverages keywords to facilitate SEO fraud.\r\nFigure 17. Embedded HTML template.\r\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nPage 13 of 17\n\nHead section\n{biaoti} : The browser tab title; substituted from {biaoti} (“标题”, title).\n: SEO description; {shoudongmiaoshu} (“手\n动描述”, manual description).\n: SEO keywords; {guanjianci} (“关键\n词”, keywords).\nBody section\n\n# Welcome to {biaoti}\n\n: Main heading, repeats the title.\n\n{shoudongmiaoshu}\n\n: A paragraph with the manual description.\n\nCurrent URL: {gudinglianjie}\n\n: Shows the fixed/current link; {gudinglianjie} (“固定链\n接”, permalink).\n\nDate: {riqi}\n\n: The date; {riqi}(“日期”, date).\n\nContact: {suijirenming1}\n\n: A contact name; {suijirenming1} (“随机人名”, random person\nname).\n\n{suijiduanluo1}\n\n: A block of content; {suijiduanluo1}(“随机段落”, random paragraph).\nThe keywords that UAT-8099 intends to promote are directly embedded within\nthe BadIIS malware. BadIIS utilizes these keywords to populate page titles and generate HTML content,\nthereby facilitating SEO fraud. The screenshot below captures a representative sample of these keywords;\nhowever, the complete list embedded within the malware is significantly more extensive.\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\nPage 14 of 17\n\nFigure 18. SEO fraud keywords.\r\nLinux BadIIS variant found on VirusTotal \r\nTalos also identified an ELF variant of BadIIS submitted to VirusTotal that exhibits functionality identical to the\r\nsamples described in Talos' previous blog post that includes the proxy, injector, and SEO fraud modes.\r\nFurthermore, the malware's hardcoded C2 servers share the same domain we previously documented. Based on\r\nthese indicators, we assess with high confidence that this malware is attributable to UAT-8099. \r\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nPage 15 of 17\n\nFigure 19. BadIIS ELF version code flow, with three modes.\r\nBelow is the targeted URL path pattern, which is identical to the pattern in our previous UAT-8099 post.\r\nnews|cash|bet|gambling|betting|casino|fishing|deposit|bonus|sitemap|app|ios|video|games|xoso|dabong|n\r\nWhile the behavior and URL path signature match our previous report, there is a key difference between this\r\nELF BadIIS variant and the older BadIIS. Unlike the previous version, which targeted numerous search engines,\r\nthis variant targets only three. The target search engines are shown as follows.\r\nCoverage \r\nClamAV detections are also available for this threat: \r\nWin.Malware.Tedy-10059198-0  \r\nWin.Trojan.Crypter-10059205-0  \r\nWin.Trojan.BadIIS-10059191-0  \r\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nPage 16 of 17\n\nUnix.Trojan.BadIIS-10059196-0  \r\nWin.Trojan.IISHijack-10059197-0  \r\nWin.Malware.Remoteadmin-10059206-0  \r\nWin.Packed.Zpack-10059207-0  \r\nTxt.Trojan.BadIIS-10059202-0 \r\nThe following Snort Rules (SIDs) detect and block this threat: \r\nSnort2: 65712, 65713, 65710, 65711, 65708, 65709, 65707, 65706. \r\nSnort3: 301378, 301377, 301376, 65707, 65706 \r\nIndicators of compromise (IOCs) \r\nThe IOCs for this threat are available at our GitHub repository here. \r\nSource: https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nhttps://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/"
	],
	"report_names": [
		"uat-8099-new-persistence-mechanisms-and-regional-focus"
	],
	"threat_actors": [
		{
			"id": "8d33d51a-e365-4768-89f7-8be2d174e2c8",
			"created_at": "2026-02-04T02:00:03.70754Z",
			"updated_at": "2026-04-10T02:00:03.950274Z",
			"deleted_at": null,
			"main_name": "UAT-8099",
			"aliases": [],
			"source_name": "MISPGALAXY:UAT-8099",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434902,
	"ts_updated_at": 1775826719,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eacdf4292acf782e604c8a250955b3a0d0a1b630.pdf",
		"text": "https://archive.orkl.eu/eacdf4292acf782e604c8a250955b3a0d0a1b630.txt",
		"img": "https://archive.orkl.eu/eacdf4292acf782e604c8a250955b3a0d0a1b630.jpg"
	}
}