392/68 Wednesday, October 8, 2025
Cybersecurity researchers have uncovered the activities of a cybercriminal group known as UAT-8099, which targets Microsoft Internet Information Services (IIS) servers to conduct SEO fraud and steal sensitive data such as passwords, configuration files, and digital certificates. Infections have been observed across multiple countries, including India, Thailand, Vietnam, Canada, and Brazil, affecting educational institutions, technology companies, and telecommunications providers, with attacks specifically targeting both Android and iPhone users.
The group scans for IIS servers with vulnerabilities or insecure configurations, then uploads a web shell to explore the system and escalate privileges to Administrator level. This enables them to activate Remote Desktop Protocol (RDP) to take control of compromised machines. They further deploy tools such as Cobalt Strike, SoftEther VPN, EasyTier, and Fast Reverse Proxy (FRP) to maintain persistent access and block other threat actors from hijacking the same systems. In the final stage, the BadIIS malware is installed to redirect Google search queries to illicit ad sites or gambling platforms.
The BadIIS malware used by UAT-8099 is a modified version designed to evade antivirus detection. It activates only when requests come from Googlebot, tricking Google’s search ranking system through “backlinking” techniques. By generating large numbers of fake links, attackers artificially boost the ranking of target websites in Google search results, driving traffic to sites that generate revenue through ads or online gambling.
Talos researchers warn that while these methods exploit standard SEO principles, the mass creation of low-quality links can ultimately result in affected websites being penalized or banned by Google in the long term.
Source https://thehackernews.com/2025/10/chinese-cybercrime-group-runs-global.html
