A Chinese-speaking cybercrime group is hijacking trusted Internet Information Services (IIS) worldwide to run SEO scams that redirect users to shady ads and gambling sites, Cisco Talos has found.
The group, tracked as UAT-8099, exploit IIS servers that have a good reputation to manipulate search engine results for financial gain.
The compromised IIS servers redirect users to unauthorized advertisements or illegal gambling websites.
The IIS servers affected were identified in India, Thailand, Vietnam, Canada and Brazil, targeting organizations such as universities, tech firms and telecom providers. This was based on Cisco's file census and DNS traffic analysis.
The majority of their targets are mobile users, encompassing not only Android devices but also Apple iPhone devices.
Cisco Talos detailed the full attack chain and additional findings relating to the UAT-8099 campaign in a blog published on October 2, 2025.
The firm explained that when the group discovers a vulnerability in the target server, it uploads a web shell to collect system information and conducts reconnaissance on the host network.
Once the collection of information is complete, UAT-8099 enables the guest account, escalate its privileges to administrator level and uses this account to enable remote desktop protocol (RDP).
For persistence, the hackers combine RDP access with SoftEther VPN, EasyTier (a decentralized virtual private network tool) and the FRP reverse proxy tool.
The group then performs further privilege escalation using shared tools to gain system-level permissions and install the BadIIS malware.
To secure their foothold, they deploy defense mechanisms to prevent other threat actors from compromising the same server or disrupting their setup.
New Malware Samples Identified
Cisco Talos identified the group’s activity in April 2025 and found several new BadIIS malware samples in the campaign.
In its analysis, Talos said the BadIIS variants used in this campaign revealed functional and URL pattern similarities to a variant previously documented in 2021.
This version however had an altered code structure and a functional workflow to evade detection by antivirus products.
Talos identified several instances of the BadIIS malware on VirusTotal this year, one cluster with very low detection and another containing simplified Chinese debug strings.