Chinese Cybercrime Group UAT-8099 Exploits IIS for SEO Scams
A Chinese-speaking cybercrime group, UAT-8099, has been exploiting trusted Internet Information Services (IIS) worldwide for SEO scams. The group, first identified on March 15, 2023, manipulates search engine results to redirect users to unauthorized advertisements and illegal gambling websites, primarily targeting mobile users.
Cisco Talos detailed the UAT-8099 campaign in a blog published on October 2, 2025. The group's attack chain involves uploading a web shell, conducting reconnaissance, enabling the guest account, escalating privileges, and installing the BadIIS malware. For persistence, the group uses SoftEther VPN, EasyTier, and the FRP reverse proxy tool along with RDP access.
The affected IIS servers were identified in India, Thailand, Vietnam, Canada, and Brazil, targeting organizations like universities, tech firms, and telecom providers. Talos found instances of the BadIIS malware on VirusTotal with very low detection rates and simplified Chinese debug strings. The group has been altering code structures and functional workflows to evade detection, with new malware samples identified in the campaign.
The UAT-8099 group's activities, detailed by Cisco Talos, highlight the ongoing threat of IIS server compromises for financial gain. With the majority of targets being mobile users, both Android and Apple iPhone devices are at risk. As the group continues to evolve its tactics, vigilance and robust malware protection measures are crucial to protect against such attacks.
Read also:
- Trump announces Chinese leader's confirmation of TikTok agreement
- U.S. Army Europe & Africa Bolsters NATO, African Partnerships in Phase Zero
- SpaceX & T-Mobile Activate Starlink for Hurricane Helene Connectivity
- Hackers Utilize GOLD SALEM to Infiltrate Networks and Evade Security Measures, Deploying Warlock Ransomware
