365/68 Thursday, September 25, 2025
Security researchers have warned that the Operation Rewrite campaign is deploying BadIIS malware to conduct SEO poisoning attacks, targeting East Asia and Southeast Asia, particularly Vietnam. The goal is to manipulate search engine rankings, tricking users into visiting compromised websites that then redirect them to spam sites or unwanted content such as gambling or pornography.
BadIIS is a malicious Internet Information Services (IIS) module capable of intercepting and modifying HTTP traffic. It inspects the User-Agent of search engine crawlers and injects content from attacker-controlled command-and-control (C2) servers into web pages. This manipulation convinces search engines that the compromised sites are relevant to targeted keywords, thereby ranking them higher. When users search and click on the links, they are redirected to attacker-specified websites. In addition, attackers have been observed using their gained privileges to install web shells, create new user accounts, steal source code, and deploy additional BadIIS implants for persistence.
Researchers noted that attackers are leveraging multiple tools, including an ASP.NET lightweight page handler, a .NET IIS module that inserts spam links into every request, and an all-in-one PHP script. These are combined with redirection and SEO poisoning techniques to control traffic flow and distort search results. This disclosure follows an earlier report by ESET on the GhostRedirector group, which used an IIS module called Gamshen to compromise over 65 servers in Brazil, Thailand, and Vietnam for similar SEO fraud operations.
Source https://thehackernews.com/2025/09/badiis-malware-spreads-via-seo.html
