Full Report
Cisco Talos has identified a new, regionally targeted campaign by UAT-8099 that leverages advanced persistence techniques and custom BadIIS malware variants to compromise IIS servers, particularly in Thailand and Vietnam.
Analysis Summary
# Threat Actor: UAT-8099
## Attribution & Identity
* **Actor Identification:** UAT-8099, a Chinese-speaking cybercrime group.
* **Known Aliases and Associations:** Significant operational overlaps identified with the **WEBJACK** campaign.
## Activity Summary
UAT-8099 has been active from late 2025 through early 2026, leading a regionally targeted campaign against vulnerable Internet Information Services (IIS) servers. The campaign shows a distinct concentration of attacks in Thailand and Vietnam, although compromised servers were also noted in India, Pakistan, and Japan. The primary objective appears to be maintaining access for continued **black hat SEO tactics**, particularly promoting gambling sites. The actor leverages advanced persistence mechanisms, evolving their malware variants to hardcode regional targeting information.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Uses web shells and PowerShell capabilities to execute scripts.
- **Persistence:**
- Establishes persistence by creating hidden user accounts, specifically `admin$` or `mysql$` if `admin$` is blocked.
- Leverages **advanced persistence techniques** via custom BadIIS variants.
- Abuses legitimate tools/utilities for evasion (e.g., `CnCrypt Protect` for hiding files and DLL redirection).
- **Defense Evasion:**
- Uses `.NET` utility (`Sharp4RemoveLog`) to clear Windows event logs.
- Utilizes `OpenArk64` to gain kernel-level access to terminate security product processes.
- **Command and Control (C2):** Relies on remote access tools, notably **GotoHTTP** deployed via VBScript, and continues to utilize **SoftEther VPN** and **EasyTier**.
- **Custom Malware Usage:** Deploys custom variants of **BadIIS** tailored for specific regions (e.g., archives named "VN.zip" or "TH.zip," directory names like "VN" or "newth").
- **Malware Variants:** A Linux Executable and Linkable Format (ELF) variant of BadIIS was observed, featuring proxy mode, injector mode, and SEO fraud mode.
- **SEO Fraud:** Targets specific URL path patterns associated with illicit sites (e.g., `news|cash|bet|gambling|betting|casino|...`). Prioritizes targeting only three search engines (Google, Bing, Yahoo) with the new ELF variant.
- **Reconnaissance:** Executes standard commands like `whoami` and `tasklist` post-initial access.
## Targeting
- **Sectors:** Organizations hosting vulnerable IIS servers (implied sectors likely include the region's web presence supporting promotions for gambling/betting).
- **Geography:** Specific focus on **Thailand** and **Vietnam**. Also observed in India, Pakistan, and Japan.
- **Victims:** Organizations operating vulnerable IIS servers.
## Tools & Infrastructure
- **Malware Families Used:**
- **BadIIS** (Custom variants, including an ELF version)
- **GotoHTTP** (Remote control tool)
- **Legitimate/Abused Tools:**
- **SoftEther VPN**
- **EasyTier**
- **CnCrypt Protect** (Abused for file hiding/DLL redirection)
- **OpenArk64** (Anti-rootkit, used for process termination)
- **Sharp4RemoveLog** (.NET utility for log clearing)
- **Infrastructure (C2, domains, IPs):** C2 servers use domain names correlated with previously documented infrastructure. (Specific URLs/IPs were not fully defanged or listed exhaustively in the provided context, but were determined to overlap with the WEBJACK campaign.)
## Implications
UAT-8099 demonstrates increasing sophistication in evasion and persistence, moving from generic attacks to highly customized, regionalized operations. The integration of red team utilities (like OpenArk64) and file protection tools (`CnCrypt Protect`) to counter endpoint detection suggests a focused effort to establish long-term, difficult-to-remove persistence on compromised web servers for ongoing SEO fraud activities.
## Mitigations
- Harden and patch Internet Information Services (IIS) servers against known vulnerabilities.
- Monitor for the creation of suspicious local user accounts, particularly `admin$` or `mysql$`.
- Implement robust detection for process termination attempts against security products (monitoring for tools like OpenArk64 usage).
- Deploy network intrusion prevention rules targeting known IOCs (Snort SIDs: 65712, 65713, 65710, 65711, 65708, 65709, 65707, 65706; Snort3 SIDs: 301378, 301377, 301376, 65707, 65706).
- Review web access logs for anomalous traffic patterns corresponding to illicit URL paths associated with gambling/betting SEO schemes.