Cybersecurity researchers have identified a Chinese speaking cybercrime group codenamed UAT-8099. This group is linked to search engine optimization (SEO) fraud and the theft of valuable credentials, configuration files, and certificate data.
The group's attacks are primarily designed to target Microsoft Internet Information Services (IIS) servers. Most infections have been reported in India, Thailand, Vietnam, Canada, and Brazil, affecting diverse sectors such as universities, tech firms, and telecom providers. The group was first discovered in April 2025 and focuses its attacks mainly on mobile users, including both Android and Apple iPhone devices.
UAT-8099 is the most recent China-linked actor to use SEO fraud for financial gain. For example, just last month, ESET disclosed details about another threat actor, GhostRedirector. GhostRedirector compromised at least 65 Windows servers, mostly in Brazil, Thailand, and Vietnam, using a malicious IIS module called Gamshen to facilitate similar SEO fraud.
Attack Methodology and Privilege Escalation
According to Cisco Talos researcher Joey Chen, "UAT-8099 manipulates search rankings by focusing on reputable, high value IIS servers in targeted regions." The group achieves persistence and alters SEO rankings using web shells, open source hacking tools, Cobalt Strike, and various BadIIS malware. They use customized automation scripts to evade defenses and conceal their activity.
Once a vulnerable IIS server is found, either through a security flaw or weak file upload settings, the threat actor uses this foothold to upload web shells. This initial access allows them to conduct reconnaissance and gather basic system information. The financially motivated hacking group then enables the guest account to escalate privileges all the way to administrator access, which they then use to enable Remote Desktop Protocol (RDP).
UAT-8099 also takes steps to secure its access by plugging the initial vulnerability. This prevents other threat actors from compromising the same servers. Cobalt Strike is deployed as the preferred backdoor for post exploitation. For persistence, RDP is combined with VPN tools like SoftEther VPN, EasyTier, and Fast Reverse Proxy (FRP).
The attack chain concludes with the installation of the BadIIS malware, a tool also used by other Chinese speaking threat clusters like DragonRank and Operation Rewrite (also known as CL-UNK-1037). UAT-8099 uses RDP to access IIS servers and search for valuable data within the compromised host using a graphical user interface tool called Everything. This data is then packaged for resale or further exploitation. The total number of servers compromised by the group is currently unknown.
BadIIS Malware Operation
The BadIIS malware variant deployed by UAT-8099 features tweaked code and functional workflow to avoid detection by antivirus software. Like Gamshen, the SEO manipulation component only activates when the request originates from Google (meaning the User Agent is Googlebot).
Bad IIS operates in three distinct modes:
- Proxy: This mode extracts the encoded, embedded command and control (C2) server address and uses it as a proxy to retrieve content from a secondary C2 server.
- Injector: This mode intercepts browser requests originating from Google search results, connects to the C2 server to retrieve JavaScript code, embeds the downloaded JavaScript into the HTML content of the response, and returns the altered response. This redirects the victim to a chosen destination, usually unauthorized advertisements or illegal gambling websites.
- SEO Fraud: This involves compromising multiple IIS servers to conduct large scale SEO fraud by serving backlinks to artificially boost website rankings.
"The actor employs a conventional SEO technique known as backlinking to boost website visibility," Talos noted. Google’s search engine uses backlinks to discover additional sites and assess keyword relevance. A higher number of backlinks increases the likelihood of Google crawlers visiting a site, which can accelerate ranking improvements and enhance exposure for the webpages. However, simply accumulating backlinks without regard to quality can lead to penalties from Google.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
