- A Chinese-speaking cybercriminal group named UAT-8099 targets Microsoft Internet Information Services (IIS) servers to commit SEO fraud and steal sensitive data.
- The group operates mainly in India, Thailand, Vietnam, Canada, and Brazil, targeting universities, tech companies, and telecom providers.
- They exploit security weaknesses to install web shells, escalate privileges, enable Remote Desktop Protocol (RDP), and deploy customized Malware like BadIIS.
- UAT-8099 uses various tools including open-source software, Cobalt Strike, and VPN services to maintain persistence and evade detection.
- The group’s malware alters web traffic to boost search engine rankings through backlink manipulation, redirecting users to unauthorized ads or gambling sites.
Cybersecurity researchers have identified a Chinese-speaking cybercrime group called UAT-8099 responsible for search engine optimization (SEO) fraud and the theft of high-value credentials, configuration files, and certificates. The group primarily targets Microsoft Internet Information Services (IIS) servers and was first observed in April 2025. Most attacks have been reported across India, Thailand, Vietnam, Canada, and Brazil, focusing on mobile users with Android and Apple devices.
According to Cisco Talos researcher Joey Chen, UAT-8099 attacks reputable IIS servers in targeted regions to manipulate search rankings. The group employs web shells, open-source Hacking tools, Cobalt Strike, and customized BadIIS malware to maintain access and conceal their activities. They exploit vulnerabilities or weak server file upload settings to gain initial entry.
After breaching a server, UAT-8099 escalates user privileges by enabling the guest account and activating Remote Desktop Protocol (RDP) access. The group secures their control by blocking other attackers’ access and uses RDP combined with VPN tools like SoftEther VPN, EasyTier, and Fast Reverse Proxy (FRP) to sustain persistence.
UAT-8099 then installs a variant of BadIIS malware, similar to previously known threats such as Gamshen, which activates only when requests come from Google by checking if the user agent is Googlebot. This malware operates in three modes: proxying to communicate with command-and-control (C2) servers, injecting malicious JavaScript into responses to redirect users to unauthorized ads or gambling sites, and conducting SEO fraud through backlinking.
The group uses a graphical search tool called Everything within the compromised IIS servers to locate valuable information, which they then package for resale or further exploitation. Yet, the total number of compromised servers remains unknown.
Cisco Talos explained that backlinking—a technique involving links pointing to a website—is commonly used to increase search engine visibility. However, accumulating backlinks indiscriminately can result in penalties from Google, making the group’s approach risky despite its potential for financial gain.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Morgan Stanley: High-Risk Portfolios Should Hold 4% in Crypto
- Grayscale Launches First U.S. Spot Ethereum ETFs With Staking
- Galaxy Digital Launches GalaxyOne, Blending Crypto and TradFi Yields
- BRICS Unveils Precious Metals Exchange to Replace Dollar System
- Bitcoin Pulls Back From Highs, Analysts See Bull Run Continuing
