Cybersecurity

Cyber: China-linked Uat-8099 Targets Iis Servers In Asia With Badiis Seo...

2026-01-30 0 views admin
Cyber: China-linked Uat-8099 Targets Iis Servers In Asia With Badiis Seo...

Cybersecurity researchers have discovered a new campaign attributed to a China-linked threat actor known as UAT-8099 that took place between late 2025 and early 2026.

The activity, discovered by Cisco Talos, has targeted vulnerable Internet Information Services (IIS) servers located across Asia, but with a specific focus on targets in Thailand and Vietnam. The scale of the campaign is currently unknown.

"UAT-8099 uses web shells and PowerShell to execute scripts and deploy the GotoHTTP tool, granting the threat actor remote access to vulnerable IIS servers," security researcher Joey Chen said in a Thursday breakdown of the campaign.

UAT-8099 was first documented by the cybersecurity company in October 2025, detailing the threat actor's exploitation of IIS servers in India, Thailand, Vietnam, Canada, and Brazil to facilitate search engine optimization (SEO) fraud. The attacks involve infecting the servers with a known malware referred to as BadIIS.

The hacking group is assessed to be of Chinese origin, with the attacks dating back to April 2025. The threat cluster also shares similarities with another BadIIS campaign codenamed WEBJACK by Finnish cybersecurity vendor WithSecure in November 2025, based on overlaps in tools, command-and-control (C2) infrastructure, and victimology footprint.

The latest campaign is focused on compromising IIS servers located in India, Pakistan, Thailand, Vietnam, and Japan, although Cisco said it observed a "distinct concentration of attacks" in Thailand and Vietnam.

"While the threat actor continues to rely on web shells, SoftEther VPN, and EasyTier to control compromised IIS servers, their operational strategy has evolved significantly," Talos explained. "First, this latest campaign marks a shift in their black hat SEO tactics toward a more specific regional focus. Second, the actor increasingly leverages red team utilities and legitimate tools to evade detection and maintain long-term persistence."

The attack chain begins with UAT-8099 gaining initial access to an IIS server, typically by either exploiting a security vulnerability or weak settings in the web server's file upload feature. This is followed by the threat actor initiating a series of steps to deploy malicious payloads -

With security products taking steps to flag the "admin$" account, the threat actor has added a new check to verify if the name is blocked, and if so, proceeds to create a new user account named "mysql$" to maintain access and run the BadI

Source: The Hacker News

🏷️ Tags

cybersecuritysecurityhackvulnerabilitymalware

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views