Cybersecurity researchers have uncovered a fresh hacking campaign tied to a China-linked threat actor known as UAT-8099, active from late 2025 through early 2026.
The operation, revealed by Cisco Talos, focused on breaking into vulnerable Microsoft Internet Information Services (IIS) servers across parts of Asia. While systems in several countries were affected, investigators said there was a clear concentration of attacks in Thailand and Vietnam, though the full size of the campaign remains unclear.
How UAT-8099 Gains Control of IIS Servers
According to Cisco Talos researcher Joey Chen, the attackers rely heavily on web shells and PowerShell-based execution to run malicious scripts and deploy a remote-access utility called GotoHTTP. Once installed, this tool gives the actor sustained control of compromised IIS systems.
Talos previously reported on UAT-8099 in October 2025, when the group was linked to attacks using IIS servers in countries such as India, Thailand, Vietnam, Canada, and Brazil. Those earlier compromises were connected to SEO fraud activities powered by a known IIS malware family called BadIIS.
China-Link and Connections to Other BadIIS Activity
Cisco Talos assesses UAT-8099 to be China-based, with activity traced back to at least April 2025.
The latest findings also appear to overlap with another BadIIS campaign previously tracked by WithSecure under the name WEBJACK. Similarities include shared tooling, command-and-control infrastructure, and target patterns.
Campaign Shift: More Regional, More Stealthy
In this newer campaign, compromised IIS servers were found in:
- India
- Pakistan
- Thailand
- Vietnam
- Japan
But Talos emphasized that Thailand and Vietnam were the main hot zones.
Researchers said the group has also evolved its approach. Instead of relying only on obvious malware, UAT-8099 is increasingly mixing legitimate tools and red-team-style utilities, making detection harder while supporting long-term persistence.
Attack Chain Breakdown
Talos described a consistent attack flow that begins with initial access—either through:
- exploitation of an IIS vulnerability, or
- misconfigured/weak file upload settings on the server
Once inside, UAT-8099 executes a series of actions designed to fully take control of the environment:
- Recon and discovery commands to gather system details
- Installation of VPN tools and persistence mechanisms
- Creation of hidden Windows user accounts (used for access and malware execution)
- Deployment of multiple tools, including:
- Sharp4RemoveLog (log deletion)
- CnCrypt Protect (file concealment)
- OpenArk64 (used to disrupt/kill security tool processes)
- GotoHTTP (remote access)
- Installation of BadIIS malware using the newly created access accounts
Hidden Account Trick: admin$ → mysql$
Talos noted that the actor originally relied on a stealthy account named “admin$”.
But as security tools started detecting or blocking that name, the threat actor adapted. The attackers now check whether “admin$” is restricted—then switch to a new hidden account called “mysql$” to keep their access alive and ensure the BadIIS service continues to run without interruption.
In some cases, Talos observed additional hidden accounts created as backups for persistence.
GotoHTTP Used for Remote Control
Another shift in this campaign is the increased use of GotoHTTP for remote access.
Talos said the tool is launched using a Visual Basic Script (VBS) dropped on the server. That VBS script itself is downloaded via PowerShell, which is executed after web shell deployment—showing a layered process designed to quietly establish full control.
BadIIS Gets Region-Specific: Vietnam and Thailand Variants
Researchers also found two newer BadIIS variants tailored for specific regions:
- BadIIS IISHijack → focused on Vietnam-based victims
- BadIIS asdSearchEngine → focused on Thailand targets and Thai-language users
What BadIIS Actually Does
BadIIS is mainly used for SEO poisoning / SEO fraud, meaning the attacker hijacks web traffic to manipulate search engine rankings and redirect crawlers.
In simple terms:
- If the visitor is a search engine crawler, the malware redirects it to SEO scam infrastructure
- If the visitor is a real user, the malware checks the browser’s language settings
- If the request indicates Thai language preferences, it injects malicious HTML and JavaScript into the response and forces a redirect
This approach helps attackers profit from traffic manipulation while staying invisible to many normal visitors.
Three BadIIS Variants Identified in Thailand Campaign
Cisco Talos also identified three technical sub-variants within the Thailand-focused BadIIS cluster:
- Multiple-extension exclusion variant
- avoids injecting into specific file types to reduce performance impact and avoid visible website breakage
- HTML template loader variant
- generates SEO pages dynamically using templates stored on disk or fallback templates embedded in malware
- fills pages with random data, dates, and URL-based content
- Dynamic page / directory index variant
- selectively targets dynamic pages (like
default.aspx,index.php) and directory indexes
- selectively targets dynamic pages (like
Talos believes this selective targeting improves the malware’s SEO impact and reduces logging errors that could alert defenders.
Linux BadIIS Development Also Underway
Talos also reported signs the group is actively improving a Linux version of BadIIS.
A Linux ELF sample uploaded to VirusTotal in October 2025 showed similar behavior (proxying, injection, SEO fraud), but with one important change: it limited targeting to major search engines including:
- Microsoft Bing
- Yahoo
Why This Matters
This campaign highlights a growing trend: attackers are increasingly treating web servers as long-term assets, not just targets to exploit once.
By mixing web shells, stealth accounts, VPN tooling, and SEO fraud malware, UAT-8099 is running what looks like a persistent operation designed for:
- long-term server control
- traffic hijacking
- region-specific manipulation
- stealth-focused persistence