Cybersecurity researchers have shed light on a Chinese-speaking cybercrime group, codenamed UAT-8099, which has been linked to search engine optimization (SEO) fraud and the theft of high-value credentials, configuration files, and certificate data. The attacks are designed to target Microsoft Internet Information Services (IIS) servers, with most infections reported in India, Thailand, Vietnam, Canada, and Brazil, affecting universities, tech firms, and telecom providers. The group was first discovered in April 2025. The targets are primarily mobile users, encompassing both Android and Apple iPhone devices.[1]
UAT-8099 is the latest China-linked actor to engage in SEO fraud for financial gain. As recently as September 2025, ESET revealed details of another threat actor, GhostRedirector, which has compromised at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam using a malicious IIS module codenamed Gamshen to facilitate SEO fraud. "UAT-8099 manipulates search rankings by focusing on reputable, high-value IIS servers in targeted regions," Cisco Talos researcher Joey Chen said. "The group maintains persistence and alters SEO rankings using web shells, open-source hacking tools, Cobalt Strike, and various BadIIS malware; their automation scripts are customized to evade defenses and hide activity."
Once a vulnerable IIS server is identified, either through a security vulnerability or weak settings in the web server's file upload feature, the threat actor exploits the foothold to upload web shells, conducting reconnaissance and gathering basic system information. The financially motivated hacking group subsequently enables the guest account to escalate their privileges, all the way to the administrator, and use it to enable Remote Desktop Protocol (RDP). UAT-8099 has also been observed taking steps to establish the initial access pathway, thereby maintaining sole control of the compromised hosts and preventing other threat actors from compromising the same servers. Additionally, Cobalt Strike is deployed as the preferred backdoor for post-exploitation purposes.
To achieve persistence, RDP is combined with VPN tools such as SoftEther VPN, EasyTier, and Fast Reverse Proxy (FRP). The attack chain culminates in the installation of BadIIS malware, which has been utilized by multiple Chinese-speaking threat clusters, including DragonRank and Operation Rewrite (also known as CL-UNK-1037). UAT-8099 uses RDP to access IIS servers and search for valuable data within the compromised host using a graphical user interface (GUI) tool named Everything, which is then packaged for either resale or further exploitation. It's not currently clear how many servers the group has compromised.
The BadIIS malware deployed in this case, however, is a variant that has tweaked its code structure and functional workflow to sidestep detection by antivirus software. It functions similarly to Gamshen in that the SEO manipulation component activates only when the request originates from Google (i.e., the User-Agent is Googlebot).
BadIIS can operate in three different modes:
- Proxy, which extracts the encoded, embedded command-and-control (C2) server address and uses it as a proxy to retrieve content from a secondary C2 server.
- Injector, which intercepts browser requests originating from Google search results, connects to the C2 server to retrieve JavaScript code, embeds the downloaded JavaScript into the HTML content of the response, and returns the altered response back to redirect the victim to the chosen destination (unauthorized advertisements or illegal gambling websites)
- SEO fraud, which compromises multiple IIS servers to conduct SEO fraud by serving backlinks to artificially boost website rankings.
"The actor employs a conventional SEO technique known as backlinking to boost website visibility," Talos said. "Google's search engine uses backlinks to discover additional sites and assess keyword relevance." A higher number of backlinks increases the likelihood of Google crawlers visiting a site, which can accelerate ranking improvements and enhance the exposure of webpages. However, simply accumulating backlinks without regard to quality can lead to penalties from Google.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://thehackernews.com/2025/10/chinese-cybercrime-group-runs-global.html
Comments