Daily NewsCyber Crime & Forensic

China Again? Cisco Talos Researchers Say UAT-8099 Targeting IIS Servers in Asia

Marking a Shift in Black Hat SEO Tactics

Cybersecurity researchers at Cisco Talos have uncovered a new malware campaign by the threat actor UAT-8099. This campaign, which supposedly took place between late 2025 and early this year, specifically targeted vulnerable Internet Information Services (IIS) servers located across Asia, notably targets in Thailand and Vietnam.

“UAT-8099 uses web shells and PowerShell to execute scripts and deploy the GotoHTTP tool, granting the threat actor remote access to vulnerable IIS servers,” said Joey Check, a Security Researcher for Cisco Talos, whose researchers previously discovered the China-Nexus Group UAT-7290.

The company first documented this threat in October 2025 after UAT-8099 compromised IIS servers in India, Thailand, Vietnam, Canada, and Brazil to facilitate search engine optimisation (SEO) fraud. The attacks involve infecting the servers with malware called BadIIS.

UAT-8099 is said to be of Chinese origin, with its first attacks dating back to April 2025. Its attack MO allegedly shares notable similarities with another BadIIS campaign codenamed WEBJACK by Finnish cybersecurity vendor WithSecure. However, UAT-8099’s latest campaign focused on compromising IIS servers located in India, Pakistan, Thailand, Vietnam, and Japan, with a “distinct concentration of attacks” in Thailand and Vietnam, in particular.

“While the threat actor continues to rely on web shells, SoftEther VPN, and EasyTier to control compromised IIS servers, their operational strategy has evolved significantly,” Talos explained. “First, this latest campaign marks a shift in their black hat SEO tactics toward a more specific regional focus. Second, the actor increasingly leverages red team utilities and legitimate tools to evade detection and maintain long-term persistence.”

How the UAT-8099 Attack Takes Place

According to Cisco Talos, the UAT-8099 attack chain begins with the threat actor gaining initial access to an IIS server by exploiting either a security vulnerability or weak settings in the web server’s file upload feature. UAT-8099 then initiates a series of steps to deploy the malware:

  • Gather system information by executing discovery and reconnaissance commands.
  • Create a hidden user account—“admin$”—to deploy VPN tools and establish persistence.
  • Install tools like Sharp4RemoveLog (remove Windows event logs), CnCrypt Protect (hide malicious files), OpenArk64 (open-source anti-rootkit to terminate security product processes), and GotoHTTP (remote control of server).
  •  Use admin$ to deploy BadIIS.

UAT-8099

This attack chain has notably evolved over time, just as security products began flagging the admin$ account. As a workaround, UAT-8099 first checks if the name is blocked; if so, it uses a different name—mysql$—to create the hidden account, maintain access, and run the BadIIS SEO fraud service without any interruption. Additionally, the threat actor is continuously creating more hidden accounts to ensure persistence.

The objective of BadIIS, according to Cisco Talos, is to scan incoming requests to IIS servers to check if the visitor is a search engine crawler. If so, it is redirected to an SEO fraud site. However, if the request is from a regular user and the Accept-Language header in the request indicates Thai, it injects HTML containing a malicious JavaScript redirect into the response.

“Since SEO poisoning relies on injecting JavaScript links into pages that search engines crawl, the malware focuses on dynamic pages (e.g., default.aspx, index.php) where these injections are most effective,” said Cisco Talos. “Furthermore, by restricting hooks to other specific file types, the malware avoids processing incompatible static files, thereby preventing the generation of suspicious server error logs.”

Martin Dale Bolima

Martin has been a Technology Journalist at Asia Online Publishing Group (AOPG) since July 2021, tasked primarily to handle the company’s Disruptive Tech Asia and Disruptive Tech News online portals. He also contributes to Cybersecurity ASEAN and Data&Storage ASEAN, with his main areas of interest being artificial intelligence and machine learning, cloud computing and cybersecurity. A seasoned writer and editor, Martin holds a degree in Journalism from the University of Santo Tomas in the Philippines. He began his professional career back in 2006 as a writer-editor for the University Press of First Asia, one of the premier academic publishers in the Philippines. He next dabbled in digital marketing as an SEO writer while also freelancing as a sports and features writer.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *