Full Report
Cybersecurity researchers have shed light on a Chinese-speaking cybercrime group codenamed UAT-8099 that has been attributed to search engine optimization (SEO) fraud and theft of high-value credentials, configuration files, and certificate data. The attacks are designed to target Microsoft Internet Information Services (IIS) servers, with most of the infections reported in India, Thailand
Analysis Summary
# Threat Actor: UAT-8099
## Attribution & Identity
* **Attribution:** Chinese-speaking cybercrime group.
* **Known Aliases:** UAT-8099.
* **Associated Groups:** Mentioned in context alongside other Chinese-speaking threat clusters using BadIIS malware, such as DragonRank and Operation Rewrite (aka CL-UNK-1037).
* **Discovery Date:** First discovered in April 2025.
## Activity Summary
UAT-8099 is engaged in a global campaign primarily focused on Search Engine Optimization (SEO) fraud and the theft of high-value data, including credentials, configuration files, and certificate data. They achieve this by compromising and manipulating Microsoft IIS servers. The group focuses on maintaining persistence and actively works to hide their activity and prevent other threat actors from accessing previously compromised hosts.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting security vulnerabilities or weak configurations in the web server's file upload feature on IIS servers.
- **Web Shell Deployment:** Uploading web shells for initial reconnaissance and performing basic system information gathering.
- **Privilege Escalation:** Enabling the 'guest' account to elevate privileges up to administrator level.
- **Establishing Access:** Enabling Remote Desktop Protocol (RDP) on compromised hosts.
- **Persistence Mechanisms:** Combining RDP with VPN tools like SoftEther VPN, EasyTier, and Fast Reverse Proxy (FRP) for maintaining clandestine access.
- **Post-Exploitation:** Deployment of Cobalt Strike as the preferred backdoor.
- **Data Exfiltration/Search:** Using the RDP GUI to access IIS servers and employing the file search tool 'Everything' to locate high-value data for packaging/resale.
- **Evasion:** Custom automation scripts designed to evade defenses and hide activity.
- **SEO Manipulation:** Deploying BadIIS malware variants that only activate SEO manipulation when the request originates from Googlebot (User-Agent check). This includes backlinking to boost website visibility.
- **Malware Use:** Utilizing web shells, open-source hacking tools, Cobalt Strike, and a custom variant of BadIIS malware.
## Targeting
* **Sectors:** Universities, tech firms, and telecom providers.
* **Geography:** India, Thailand, Vietnam, Canada, and Brazil.
* **Victims:** Primarily targets mobile users, encompassing both Android and Apple iPhone devices that access the compromised IIS servers.
* **Platform Focus:** Microsoft Internet Information Services (IIS) servers.
## Tools & Infrastructure
* **Malware Families Used:** BadIIS (custom variant), Web shells, Cobalt Strike (backdoor).
* **Other Tools:** Everything (GUI search tool), SoftEther VPN, EasyTier, Fast Reverse Proxy (FRP).
* **Infrastructure:** Not explicitly listed, but deployment of BadIIS includes functionality to use an encoded C2 address as a proxy to retrieve content from a secondary C2 server (Proxy mode).
## Implications
UAT-8099 represents a financially motivated threat actor leveraging established attack surfaces (vulnerable IIS servers) for deceptive financial gain through SEO fraud, which can significantly impact the credibility and search ranking integrity of legitimate organizations. Their data theft operations suggest a secondary objective of selling compromised credentials or configuration data. The use of sophisticated persistence mechanisms (VPNs combined with RDP) indicates an established and dedicated cybercrime operation.
## Mitigations
- Review and restrict permissions on web server file upload features to prevent initial foothold establishment.
- Implement robust logging and monitoring for unauthorized creation or modification of web shells and system configuration changes (e.g., enabling guest accounts or RDP).
- Audit outbound network connections from IIS servers, particularly those related to RDP usage combined with VPN tools (SoftEther VPN, FRP).
- Ensure timely patching of known vulnerabilities in IIS servers.
- Implement web application firewalls (WAFs) capable of inspecting dynamic content manipulation attempts linked to SEO fraud redirects.
- Monitor for the deployment or execution of BadIIS variants or known IOCs associated with DragonRank/Operation Rewrite, as these tools are shared.