Dissecting UAT-8099: New persistence mechanisms and regional focus

• Cisco Talos has identified a new campaign by UAT-8099, active from late 2025 to early 2026, that is targeting vulnerable Internet Information Services (IIS) servers across Asia with a specific focus on victims in Thailand and Vietnam. 
• Analysis confirms significant operational overlaps between this activity and the WEBJACK campaign. This includes critical indicators of compromise including malware hashes, command and control (C2), and victimology. 
• UAT-8099 uses web shells and PowerShell to execute scripts and deploy the GotoHTTP tool, granting the threat actor remote access to vulnerable IIS servers. 
• New variants of BadIIS now hardcode the target region directly into the malware, offering customized features for each specific variant. These customizations include exclusive file extensions, corresponding dynamic page extensions, directory indexing configurations, and the ability to load HTML templates from local files. 
• A Linux Executable and Linkable Format (ELF) variant of BadIIS was uploaded to VirusTotal on Oct. 1, 2025. The malware includes proxy mode, injector mode, and search engine optimization (SEO) fraud mode, similar to what Talos described in the previous UAT-8099 blog.

---

UAT-8099 new activity 

Cisco Talos observed new activity from UAT-8099 spanning from August 2025 through early 2026. Analysis of Cisco’s file census and DNS traffic indicates that compromised IIS servers are located across India, Pakistan, Thailand, Vietnam, and Japan, with a distinct concentration of attacks in Thailand and Vietnam. Furthermore, this activity significantly overlaps with the WEBJACK campaign; we have identified high-confidence correlations across malware hashes, C2 infrastructure, victimology, and the promoted gambling sites.

While the threat actor continues to rely on web shells, SoftEther VPN, and EasyTier to control compromised IIS servers, their operational strategy has evolved significantly. First, this latest campaign marks a shift in their black hat SEO tactics toward a more specific regional focus. Second, the actor increasingly leverages red team utilities and legitimate tools to evade detection and maintain long-term persistence.

Infection chain 

Upon gaining initial access, the threat actor executes standard reconnaissance commands, such as whoami and tasklist, to gather system information. Following this, they deploy VPN tools and establish persistence by creating a hidden user account named “admin$”. UAT-8099 has further expanded their arsenal with the several new tools below: 

• Sharp4RemoveLog: A .NET utility designed to clear all Windows event logs, effectively erasing forensic traces 
• CnCrypt Protect: A Chinese-language file-protection utility. In this intrusion activity, it is abused to hide malicious files and facilitate dynamic-link library (DLL) redirection. This tool has been linked to previous IIS attacks since 2024, including SEO fraud campaigns targeting Vietnam and China, as well as the WEBJACK campaign. 
• OpenArk64: An open source anti-rootkit. The threat actor uses its kernel-level access to terminate security product processes that are otherwise protected from deletion. 
• GotoHTTP: An online remote control tool. The threat actor uses VBscript to deploy this tool and let them remote control the compromised server. Talos provides more detail in the following section.  

Subsequently, the threat actor deploys two archive files containing the latest version of the BadIIS malware. Notably, the file names of these archives are correlated with the specific geographic regions targeted by the BadIIS malware; for example, “VN” denotes Vietnam and “TH” denotes Thailand.

C:/Users/admin$/Desktop/TH.zip 
C:/Users/admin$/Desktop/VN.zip 

 Following the publication of our previous research, Cisco Security products have widely flagged the “admin$” account name. In response, if this name is blocked, the threat actor  creates a new user account named “mysql$” to maintain access and sustain the BadIIS SEO fraud service.

Using the newly created account, the threat actor redeploys the updated BadIIS malware to the compromised machines. Notably, this marks a strategic shift from broad, global targeting to specific regional focus. This is evidencedby the directory naming conventions for the malware and its scripts, which use identifiers such as “VN” for Vietnam and “newth” for Thailand.

C:/Users/mssql$/Desktop/VN/fasthttp.dll  
C:/Users/mssql$/Desktop/VN/cgihttp.dll  
C:/Users/mssql$/Desktop/VN/install.bat  
C:/Users/mssql$/Desktop/VN/uninstall.bat  
C:/Users/mssql$/Desktop/newth/iis32.dll  
C:/Users/mssql$/Desktop/newth/iis64.dll  
C:/Users/mssql$/Desktop/newth/install.bat  
C:/Users/mssql$/Desktop/newth/uninstall.bat  

Additionally, Talos observed the UAT-8099 threat actor attempting to create alternative hidden accounts to maintain persistence. The specific commands used to create these accounts and execute subsequent actions are detailed in Figures 3a, 3b, and 3c.

Abuse of the GotoHTTP remote control tool 

Talos has observed several instances where UAT-8099 uses a web shell to execute PowerShell commands, which subsequently download and run a malicious VBScript. This script is designed to deploy the GotoHTTP tool and exfiltrate the “gotohttp.ini” configuration file to the C2 server. This enables the threat actor to obtain the connection ID and password necessary to remotely control the infected server.

The malicious script contains multiple functions, each annotated by the threat actor using Simplified Chinese and Pinyin comments. We provide a detailed analysis of these functions below.

The code begins by initializing key parameters, including the download and upload URLs, file paths, and the expected file size of “gotohttp.exe”. Notably, this initialization section is marked with the comment “dingyichangliang” (定义常量), which translates to “Define Constants.”

The first functional block is marked with the comment “xiazaiwenjian” (下载文件), which translates to “Download File.” In this section, the code utilizes an HTTP GET request to download the GotoHTTP tool, saving it to the public folder as “xixixi.exe”.

The second and third function blocks are marked with the comments “jianchawenjian” (检查文件) and “jianchawenjian” (检查文件大小), translating to “Check File” and “Check File Size,” respectively. In these sections, the code verifies the integrity of the downloaded GotoHTTP tool by ensuring the file size exceeds the threshold defined in the previous block. If the validation fails, the script sends an error message to the C2 server, reporting either“xiazaishibai” (下载失败 – Download Failed) or “daxiaobudui” (大小不对 – Incorrect Size).

The fourth and fifth function blocks are marked with the comments “zhixingwenjian” (执行文件) and “jianchajieguo” (检查结果), translating to “Execute File” and “Check Result,” respectively. In these sections, the code executes the GotoHTTP tool in a hidden window without waiting for the process to terminate. Notably, the code uses Chr(34) to represent quotation marks, as indicated by the comments. This technique is employed to avoid syntax errors caused by improper escaping; using Chr(34) allows the insertion of the double-quote character without breaking the code structure. 

Following a five-second sleep delay, the script attempts to upload the “gotohttp.ini” file to the C2 server. If the file is missing, it sends the error message “gotohttp.ini bucunzai” (gotohttp.ini 不存在 – gotohttp.ini does not exist).

The last function blocks are marked with the comment “qingli” (清理), translating to “Clean.”. This section will clean up all the COM objects.

Two new BadIIS malware to target specific region 

Since September 2025, Talos has observed two new variants of BadIIS appearing in the wild, both utilized for SEO fraud. While other vendors have observed these malware, this section provides a deep analysis based on our reverse engineering and infection chain assessment. We have determined that UAT-8099 customizes these new cluster BadIIS to target specific regions. The first cluster, which we have named BadIIS IISHijack, derives its name from the original malware file name. The second cluster, BadIIS asdSearchEngine, is named after the PDB strings observed within the sample.

E:原生DLLSearchEngineReleaseSearchEngine.pdb
C:UsersqwesourcereposDll1dasdx64ReleaseDll1dasd.pdb 

BadIIS IISHijack primarily targets victims in Vietnam. This variant explicitly embeds the country code within its source code and creates a specific directory named when the malware drops into the victim’s machine.

BadIIS asdSearchEngine malware focuses on targets in Thailand or users with Thai language preferences. By using the CHttpModule::OnBeginRequest handler, the malware hijacks incoming HTTP traffic and analyzes headers such as “User-Agent” and “Referer” to determine its next move. A key addition to this version is the use of the “Accept-Language” header to verify the target region.

When an infected IIS server receives a request, the malware first filters the file path. If the path contains an extension on its exclusion list, it ignores the request to preserve static resources. Next, it checks the “User-Agent” to see if the visitor is a search engine crawler (e.g., Googlebot, sogu, 360spider, or Baiduspider). If confirmed, the crawler is redirected to an SEO fraud site. However, if the visitor is a standard user and the malware verifies that the “Accept-Language” field indicates Thai, it injects HTML containing a malicious JavaScript redirect into the response.  

We have identified three distinct variants within this BadIIS cluster. While they share the core workflow described above, each possesses unique features, which are detailed in the following section. Moreover, to evade detection, some specific variants employ XOR encryption (key 0x7A) to obfuscate their C2 configuration and malicious HTML content.

Exclusive multiple extensions variant 

While many variants employ extensive exclusion lists, the specific extensions targeted can differ between them. For the purpose of this analysis, we will use a representative example to illustrate the general functionality and strategy. Before executing its malicious payload, the new BadIIS variant inspects the URL path for specific file extensions. This filtering mechanism serves three strategic objectives:  

• The extensions (.png, .jpg, .css, .js, .woff, .ttf, .eot, and .otf) are critical for a website’s appearance, layout, and interactive features. If the BadIIS were to indiscriminately redirect or tamper with requests for these essential assets, the website would quickly appear broken to users and administrators. 
• The BadIIS likely uses filtering based on document type extensions (.pdf, .txt, .xml, .json, .doc, .docx, .xls, and .xlsx) and web-related files extensions (.manifest, .appcache, .webmanifest, .robots, and .sitemap) to focus its malicious injections (e.g., hidden links, keywords, malicious scripts) or redirect specifically on HTML pages or other content types that contribute to SEO rankings or user interaction, while leaving static assets untouched. 
• The archive extensions (.zip, .rar, .7z, .tar, .gz) are filtered so that the BadIIS can conserve resources.

Dynamic page extension/directory index variant 

Another variant of BadIIS adds a validation function that checks if a requested path corresponds to a dynamic page extension or a directory index. This determines whether the request is routed to the malware’s dynamic processing flow.

We assess that the threat actor, UAT-8099, implemented this feature to prioritize SEO content targeting while maintaining stealth. Since SEO poisoning relies on injecting JavaScript links into pages that search engines crawl, the malware focuses on dynamic pages (e.g., default.aspx, index.php) where these injections are most effective. Furthermore, by restricting hooks to other specific file types, the malware avoids processing incompatible static files, thereby preventing the generation of suspicious server error logs. 

Load HTML templates variant 

The last variant of BadIIS contains a sophisticated HTML template generation system that dynamically creates web content. It has a content generator that can load templates from disk or use embedded fallbacks, then performs extensive placeholder replacement with random data, dates, and URL-derived content.

If there are no files found in the host, the BadIIS generates a response using an embedded HTML template, populating a date placeholder with the local system time. Notably, the variable names within this HTML template are written in Chinese Pinyin. Below, Talos provides detailed translations of these variables. Analyzing these names allows us to accurately determine how the dynamic template leverages keywords to facilitate SEO fraud.

Head section 

• <title>{biaoti}</title>: The browser tab title; substituted from {biaoti} (“标题”, title). 
• <meta name="description" content="{shoudongmiaoshu}">: SEO description; {shoudongmiaoshu} (“手动描述”, manual description). 
• <meta name="keywords" content="{guanjianci}">: SEO keywords; {guanjianci} (“关键词”, keywords).  

Body section 

• <h1>Welcome to {biaoti}</h1>: Main heading, repeats the title. 
• <p>{shoudongmiaoshu}</p>: A paragraph with the manual description. 
• <p>Current URL: {gudinglianjie}</p>: Shows the fixed/current link; {gudinglianjie} (“固定链接”, permalink). 
• <p>Date: {riqi}</p>: The date; {riqi} (“日期”, date). 
• <p>Contact: {suijirenming1}</p>: A contact name; {suijirenming1} (“随机人名”, random person name). 
• <div>{suijiduanluo1}</div>: A block of content; {suijiduanluo1} (“随机段落”, random paragraph).

The keywords that UAT-8099 intends to promote are directly embedded within the BadIIS malware. BadIIS utilizes these keywords to populate page titles and generate HTML content, thereby facilitating SEO fraud. The screenshot below captures a representative sample of these keywords; however, the complete list embedded within the malware is significantly more extensive.

Linux BadIIS variant found on VirusTotal 

Talos also identified an ELF variant of BadIIS submitted to VirusTotal that exhibits functionality identical to the samples described in Talos’ previous blog post that includes the proxy, injector, and SEO fraud modes. Furthermore, the malware’s hardcoded C2 servers share the same domain we previously documented. Based on these indicators, we assess with high confidence that this malware is attributable to UAT-8099. 

Below is the targeted URL path pattern, which is identical to the pattern in our previous UAT-8099 post.

news|cash|bet|gambling|betting|casino|fishing|deposit|bonus|sitemap|app|ios|video|games|xoso|dabong|nohu

While the behavior and URL path signature match our previous report, there is a key difference between this ELF BadIIS variant and the older BadIIS. Unlike the previous version, which targeted numerous search engines, this variant targets only three. The target search engines are shown as follows.

User-agent	Referer
Googlebot	google
Bingbot	bing
Yahoo!	yahoo

Coverage 

ClamAV detections are also available for this threat: 

• Win.Malware.Tedy-10059198-0  
• Win.Trojan.Crypter-10059205-0  
• Win.Trojan.BadIIS-10059191-0  
• Unix.Trojan.BadIIS-10059196-0  
• Win.Trojan.IISHijack-10059197-0  
• Win.Malware.Remoteadmin-10059206-0  
• Win.Packed.Zpack-10059207-0  
• Txt.Trojan.BadIIS-10059202-0 

The following Snort Rules (SIDs) detect and block this threat: 

• Snort2: 65712, 65713, 65710, 65711, 65708, 65709, 65707, 65706. 
• Snort3: 301378, 301377, 301376, 65707, 65706 

Indicators of compromise (IOCs) 

The IOCs for this threat are available at our GitHub repository here. 

Cisco Talos Blog – ​Read More