Top 5 Phishing-Driven Social Engineering Attacks on Companies in 2026

Your employees are not falling for “bad grammar” phishing anymore. They are being pulled into fake Microsoft logins, banking pages, AI tool instructions, real OAuth flows, and event invitations that look close enough to daily work to pass without alarm. 

For CISOs, that is the real social engineering problem in 2026: attacks are no longer easy to separate from normal business activity. And when the SOC cannot quickly see what happened after the click, every investigation becomes a race against exposure. 

The New CISO Problem: Social Engineering That Looks Like Business as Usual 

Modern social engineering attacks are harder to stop because they no longer rely only on suspicious attachments or poorly written emails. They copy the workflows employees use every day. 

For CISOs, this leads to difficult operational issues. The SOC may detect a suspicious link, page, or login attempt, but still lack the full context to understand whether the incident led to credential theft, token abuse, remote access, or exposure of business-critical systems. 

That creates several problems at once: 

  • Too many gray-zone alerts that require manual validation 
  • Slow confidence during triage because the activity looks close to legitimate work 
  • Context gaps between Tier 1, Tier 2, and IR teams 
  • Delayed prioritization when the business impact is unclear 
  • Higher pressure on senior SOC resources due to unnecessary or poorly prepared escalations 
  • Limited executive visibility into whether the incident is a minor phishing attempt or a real access risk 

This is why modern social engineering is a visibility, escalation, and decision-making problem for the entire security operation. 

Turn unclear phishing alerts into confident SOC decisions.
Use interactive analysis to validate risks faster.



Power your SOC now


1. Fake Microsoft Login Pages Still Work Because They Abuse Daily Business Habits 

Fake Microsoft login pages remain one of the most common social engineering tactics because they imitate a workflow employees already trust: opening a shared file, checking email, accessing OneDrive, or signing into Microsoft 365. 

View analysis session with Microsoft page abuse 

Fake Microsoft login page exposed inside ANY.RUN sandbox
Fake Microsoft login page exposed inside ANY.RUN sandbox

For security leaders, the concern is that this attack still hits one of the most valuable parts of the business: identity. Microsoft accounts often connect employees to email, files, SaaS tools, internal conversations, customer communication, and partner access. Once one account is compromised, the impact can quickly move beyond a single inbox. 

CISO blind spot: The SOC may treat a fake login page as a simple phishing event, while the real business risk may be account takeover, email compromise, or lateral movement through connected cloud services. 

2. Banking Phishing Turns Employee Trust into Financial Exposure 

Banking-themed phishing attacks are especially risky because they target workflows employees may already treat as urgent: payment alerts, transaction issues, account notices, invoices, or financial document requests. 

In the BlobPhish campaign observed by ANY.RUN, attackers impersonated major financial and cloud services, including Chase, Capital One, FDIC, E*TRADE, Schwab, Microsoft 365, OneDrive, and SharePoint. The campaign used phishing pages that appeared directly inside the browser, making them harder for traditional tools to detect through normal URL, file, or network visibility. 

View the observed analysis session in ANY.RUN sandbox 

Phishing pseudo-MS365 page loaded as a blob object 
Phishing pseudo-MS365 page loaded as a blob object 

The danger is that these lures touch systems tied to money, approvals, vendors, customer data, and cloud access. A single captured credential can open the door to payment fraud, mailbox abuse, partner-facing scams, or sensitive data exposure. 

CISO blind spot: A banking phishing lure may look like a narrow credential-theft attempt, but in a corporate environment, it can expose financial operations, cloud accounts, partner communication, and sensitive business data. 

3. ClickFix Attacks Abuse Employee Trust in AI Tools 

ClickFix attacks are becoming more dangerous as employees rely on AI tools for coding, research, automation, and daily productivity. Instead of sending a suspicious attachment, attackers imitate the tools people already use and guide them through actions that feel like normal setup or troubleshooting. 

In one ANY.RUN case, attackers used fake documentation pages for popular AI tools, including Claude Code and Grok. The victim was prompted to run a command that appeared to be part of the installation or configuration process. In reality, that action launched a malware infection on macOS. 

Observe the attack chain in a live sandbox session 

Multi-OS attack: malicious terminal commands for various platforms
Multi-OS attack: malicious terminal commands for various platforms

This tactic is especially risky because it targets high-value users. Developers, product teams, finance employees, and executives often use Macs and AI tools, and they may also have access to source code, cloud environments, financial systems, customer data, or internal documents. 

CISO blind spot: ClickFix attacks may not look like a traditional phishing incident. The user is not opening a strange attachment. They are following instructions from what appears to be a trusted AI tool page. That makes the attack harder to catch early and easier to underestimate until credentials, session data, or endpoint access are already exposed. 

Close the visibility gap around business-critical users.
Protect the teams and systems attackers target first. 



Strengthen SOC visibility


4. OAuth Device Code Phishing Turns Legitimate Microsoft Login into an Access Risk 

OAuth device code phishing is dangerous as it does not follow the usual fake-login-page pattern. The victim is sent to a real Microsoft verification page, enters a code, completes authentication, and may even pass MFA. 

In the EvilTokens campaign observed by ANY.RUN, attackers abused Microsoft’s OAuth Device Code flow to get access tokens without directly stealing the user’s password. More than 180 phishing URLs were detected in one week, showing how quickly this technique can spread across Microsoft 365 environments. 

View sample analysis in ANY.RUN Interactive Sandbox 

Full attack chain exposed in ANY.RUN Sandbox
Full attack chain exposed in ANY.RUN Sandbox

This makes the attack harder to recognize as phishing. From the user’s side, the process looks legitimate. From the security team’s side, the activity may blend into normal authentication traffic until the account is already exposed. 

CISO blind spot: OAuth device code phishing may not trigger the same warning signs as a fake login page. The user authenticates through Microsoft, but the attacker receives the token. That can lead to Microsoft 365 account takeover, mailbox access, cloud data exposure, and delayed response because the compromise does not look like classic credential theft. 

5. Fake Invitations Turn Simple Lures into Access Risk 

Fake invitation phishing works because it feels harmless. An event invite, a CAPTCHA check, and a sign-in page can look like a normal online workflow, especially when employees are used to opening meeting links, webinars, vendor invitations, and shared business events. 

In a U.S.-targeted campaign analyzed by ANY.RUN, attackers used fake event invitation pages to push victims toward credential theft, OTP interception, or remote management tool installation. Some pages collected email credentials and one-time codes, while others delivered legitimate RMM tools such as ScreenConnect, ITarian, Datto RMM, ConnectWise, and LogMeIn Rescue. 

View analysis session in ANY.RUN Sandbox

Fake invitation used as a lure, exposed inside ANY.RUN sandbox
Fake invitation used as a lure, exposed inside ANY.RUN sandbox

That makes the campaign harder to judge quickly. The same type of lure can lead to different outcomes: stolen mailbox access, intercepted MFA codes, or remote access inside the environment. For the SOC, this creates a gray-zone investigation where several small signals need to be connected before the real risk becomes clear. 

CISO blind spot: A fake invitation may look like a low-priority phishing page, but it can become an access problem fast. If the SOC cannot quickly see whether the page led to credential theft, OTP capture, or RMM installation, response may start only after exposure has already grown. 

Don’t let trusted login flows hide real compromise.
Give your SOC clearer evidence.



Strengthen your SOC


How CISOs Can Close These Social Engineering Blind Spots 

The hardest part of modern social engineering response is often not spotting something suspicious. It is proving what happened next fast enough to make the right decision. 

A suspicious email, link, page, or file may be detected, but the SOC still needs to answer the questions that determine the real risk: Did the user submit credentials? Was MFA or OAuth abused? Was remote access delivered? Did the activity reach an endpoint? Does this require escalation, containment, or leadership attention? 

To close this gap, social engineering investigations need to move through a clearer workflow: 

1. Validate the threat before it becomes a bigger incident 

When a suspicious email, link, file, or phishing page reaches the SOC, the priority is not only to label it as malicious or benign. The team needs to understand what the object actually does and how far the activity could go if left unchecked. 

Phishing sample analyzed inside ANY.RUN sandbox 
Phishing sample analyzed inside ANY.RUN sandbox 

ANY.RUN’s Interactive Sandbox lets teams safely open the suspicious object and observe the full behavior in real time: redirects, fake login pages, OTP prompts, file downloads, remote access activity, and concealment attempts. Instead of guessing from isolated alerts, the SOC can see and interact whenever needed. 

This gives teams earlier certainty during the most critical stage of triage. They can confirm the real risk faster, decide whether the case needs escalation, and reduce the chance that a “small” social engineering alert becomes a larger business incident. 

2. Turn investigation results into evidence the whole SOC can use 

Even when the attack is visible, teams still need to communicate the findings clearly. Raw telemetry can slow down handoffs, create context loss, and make it harder for managers to understand severity. 

With Tier 1 Reports and AI Summary inside the sandbox, findings become structured, SOC-ready context: what happened, why it matters, what evidence supports escalation, and where the team should focus next. 

This gives teams several practical benefits: 

  • Faster triage because Tier 1 gets a clear threat overview without manually rebuilding the attack story 
  • Cleaner escalations as Tier 2 and IR receive context, not just raw indicators 
  • Less context loss when the case moves between teams or shifts 
  • More consistent reporting across analysts and incidents 
  • Clearer management visibility into severity, exposure, and required next steps 
  • Better response decisions because teams can act on confirmed behavior, not assumptions 

This way, social engineering investigations do not stop at “we found suspicious activity.” They become ready-to-use evidence for prioritization, escalation, containment, and leadership reporting. 

Clarity for analysts. Visibility for decision-makers.
Faster response across your SOC.



Optimize your SOC workflow


3. Understand whether the case is isolated or part of a wider campaign 

After the behavior is confirmed, the next question is scope. Is this one phishing attempt, or part of a broader campaign targeting similar companies, industries, or regions? 

With ANY.RUN Threat Intelligence, teams can pivot from one case to related domains, IOCs, URL patterns, infrastructure, and similar sandbox sessions. This gives the SOC broader context for detection, hunting, and prioritization, so teams are not making decisions from one alert alone. 

Relevant sandbox sessions displayed inside ANY.RUN’s TI Lookup for better context and deeper analysis 

For security leaders, this creates a stronger operating model for social engineering response: 

  • Earlier risk confirmation before credential theft, token abuse, or remote access turns into a larger incident 
  • Better campaign awareness when one suspicious case is connected to related infrastructure and repeated attack patterns 
  • Stronger SOC consistency because investigations follow the same process instead of depending on individual experience 
  • Improved resource allocation as senior teams focus on cases with confirmed exposure, not unclear alerts 
  • More defensible incident decisions based on visible behavior, threat context, and structured reporting 
  • Clearer business-risk communication when leaders need to understand what happened, what is exposed, and what happens next 

This turns social engineering response into a repeatable process: observe the attack, enrich the context, document the findings, and act before exposure spreads. 

From Social Engineering Visibility to SOC Performance 

Closing social engineering blind spots is about reducing the operational drag these attacks create across the SOC: unclear alerts, manual validation, repeated handoffs, and delayed decisions. 

ANY.RUN helps security teams improve that process with interactive sandbox analysis and threat intelligence solutions working together in one investigation workflow.

Boosting SOC performance with ANY.RUN’s sandbox analysis and threat intelligence solutions
Boosting SOC performance with ANY.RUN’s sandbox analysis and threat intelligence solutions

Organizations using ANY.RUN report: 

  • 21 minutes faster MTTR per case, helping reduce the time between detection and containment 
  • 94% faster triage reported by users during suspicious file, URL, and phishing investigations
  • 30% fewer Tier 1 to Tier 2 escalations, helping protect senior team capacity  
  • Up to 20% lower Tier 1 workload by reducing manual investigation effort 
  • Up to 3x stronger SOC efficiency across validation, enrichment, escalation, and response workflows 

These results show the practical value of closing social engineering blind spots: fewer delays, less wasted effort, and faster confidence when the business needs a clear answer. 

Reduce the delay between detection and confident action.

Give your SOC the context to respond before exposure spreads.



Power your SOC now


About ANY.RUN 

ANY.RUN delivers cybersecurity solutions built to support real-world SOC operations. Its platform helps security teams investigate threats faster, make informed decisions, and apply threat intelligence across detection, triage, response, and reporting workflows. 

The company’s solutions include the Interactive Sandbox for enterprise-grade malware and phishing analysis, as well as ANY.RUN Threat Intelligence solutions, including TI LookupTI Feeds, TI Reports, and YARA Search. Together, they provide fresh, behavior-based intelligence built on live attack analysis. 

ANY.RUN is SOC 2 Type II attested, reflecting strong security controls and a commitment to protecting customer data. For SOCs, MSSPs, and enterprise security teams, ANY.RUN helps reduce investigation uncertainty, improve triage speed, and turn complex threat activity into clear, actionable evidence. 

The post Top 5 Phishing-Driven Social Engineering Attacks on Companies in 2026 appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer

Cybersecurity researchers have flagged a compromised version of the Nx Console extension that was published to the Microsoft Visual Studio Code (VS Code) Marketplace.

The extension in question is rwl.angular-console (version 18.95.0), a popular user interface and plugin for code editors like VS Code, Cursor, and JetBrains. The VS Code extension has more than 2.2 million installations. The Open

The Hacker News – ​Read More

How to Make Apps and Websites Remove Your Nonconsensual Nudes

Starting May 19, tech platforms in the US will have to start complying with the Take It Down Act. Here’s how more than a dozen of the largest platforms are handling takedown demands for your nudes.

Security Latest – ​Read More

PoC Released for DirtyDecrypt Linux Kernel Vulnerability

Patched in April, the underlying vulnerability allows local attackers to elevate their privileges to root.

The post PoC Released for DirtyDecrypt Linux Kernel Vulnerability appeared first on SecurityWeek.

SecurityWeek – ​Read More

This sneaky deal gets you a month of Peacock or Paramount+ for $1 – what to know

Binge your choice of Peacock or Paramount+ shows for the next 30 days with this under-the-radar deal that gets you tons of other perks, too.

Latest news – ​Read More

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat

  • Cisco Talos has uncovered a BadIIS variant — identifiable by its embedded “demo.pdb” strings — that functions as commodity malware. This variant is likely sold or shared among multiple Chinese-speaking cybercrime groups that operate under a malware-as-a-service (MaaS) model for continuous monetization. 
  • Analysis of program database (PDB) file paths reveals a sustained, multi-year development effort by an author operating under the alias “lwxat”, spanning from at least September 2021 through January 2026, with evidence of rapid iterative updates, feature branching, and reactive evasion tactics targeting specific security vendors such as Norton.
  • Talos recovered a dedicated builder tool that allows threat actors to generate configuration files, customize payloads, and inject parameters into BadIIS binaries — enabling capabilities including traffic redirection to illicit sites, reverse proxying for search engine crawler manipulation, content hijacking, and backlink injection for malicious search engine optimization (SEO) fraud. 
  • Beyond BadIIS, the same author has developed a suite of auxiliary tools — including service-based installers, droppers, and persistence mechanisms that automate deployment, ensure survivability across IIS server restarts, and evade detection through custom Base64 encoding and obfuscation techniques.

Mystery BadIIS containing “demo.pdb” 

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat

Since 2024, Talos has investigated numerous attacks across the Asia-Pacific region (along with a few in South Africa, Europe and North America) that utilize a specific variant of BadIIS characterized by “demo.pdb” strings. While multiple security vendors are tracking the global spread of these variants, Talos’ observed tactics, techniques, and procedures (TTPs) show notable divergences from those documented by other vendors like Trend Micro, Ahnlab, VNPT, and Elastic. Consequently, it is difficult to attribute these attacks to a single threat actor. However, we assess with moderate confidence that the “demo.pdb” BadIIS variant is a commodity tool utilized by multiple Chinese-speaking cybercrime groups. 

Insights from embedded PDB strings 

Although the core functionality of this BadIIS variant is largely limited to SEO fraud, content injection, and proxy‑based traffic manipulation, our investigation pivoted toward the malware’s embedded PDB strings. The consistent PDB path pattern offers much more intelligence value than the generic “demo.pdb” filename. The combination of a stable “AdministratorDesktop” build environment, Chinese-language folder names, and date-based versioning creates a highly reliable fingerprint for tracking and clustering this BadIIS version toolset. Beyond reinforcing our assessment that this is a commodity IIS malware family, the PDB paths enabled attribution to a possible customer name alias “x神” (“xshen”). Furthermore, the PDB artifacts reveal the existence of customized builds, some explicitly tailored to:

  • Bypass specific antivirus products, such as Norton 
  • Perform site‑wide hijacking 
  • Redirect users conditionally based on browser language or environment
From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 1. “Custom site hijacking: redirect based on browser language” version.
From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 2. PDB with 过诺顿 (bypass Norton antivirus) version.

Prompted by these initial discoveries, Talos expanded our threat hunting efforts to identify similar PDB strings associated with this author with high confidence. The PDB paths extracted from these BadIIS variants reveal a sustained, multi-year development effort spanning from at least September 2021 to January 2026. By analyzing the developer’s folder naming conventions, we can accurately map the malware’s evolutionary trajectory, feature branching, and commercialization model.

Timeline and iterative maintenance 

Talos observed that the earliest explicit timestamp in the PDB paths is Sept. 30, 2021, indicating that the development of this specific toolset began on or before this date. The naming conventions observed in folders such as “dll0217”, “dll0301”, and “dll0315” (likely representing February 17, March 1, and March 15) demonstrate periods of rapid, sprint-like updates. Additionally, the “dll-no503” directory is particularly notable; it likely represents a troubleshooting build designed to resolve an issue where the malware caused IIS to throw “503 Service Unavailable” errors, which would otherwise alert server administrators to the infection. Finally, the latest observed compilation date, “dll20260106” (Jan. 6, 2026), confirms that this toolset remains actively maintained and deployed in the wild as of early 2026.

Feature branching and evasion tactics 

Talos also observed that the folder “兼容百度浏览器+劫持robots.txt” (“Compatible with Baidu browser + hijacking robots.txt”) explicitly confirms the malware’s role in malicious SEO campaigns, specifically targeting the Chinese search engine ecosystem. Furthermore, the “2024-05-05-tcp” branch indicates a shift or enhancement in how the malware handles network traffic, potentially introducing custom proxying or SEO fraud communication protocols over raw TCP. Additionally, the inclusion of “过诺顿” (”bypass Norton”) in the build paths highlights a reactive development cycle, demonstrating that the author actively modifies the code to evade specific security vendor detections.

Below are the PDB strings Talos collected:

  • C:UsersAdministratorDesktop2021-09-30x64Releasedemo.pdb 
  • C:UsersAdministratorDesktopiisx64Releasedemo.pdb 
  • C:UsersAdministratorDesktopdllx64Releasedemo.pdb 
  • C:UsersAdministratorDesktopdll0217Releasedemo.pdb 
  • C:UsersAdministratorDesktopdll0217x64Releasedemo.pdb 
  • C:UsersAdministratorDesktopdll0301Releasedemo.pdb 
  • C:UsersAdministratorDesktopdll0301x64Releasedemo.pdb 
  • C:UsersAdministratorDesktopdll0315Releasedemo.pdb 
  • C:UsersAdministratorDesktopdll0315x64Releasedemo.pdb 
  • C:UsersAdministratorDesktopdll-no503Releasedemo.pdb 
  • C:UsersAdministratorDesktopdll-no503x64Releasedemo.pdb 
  • C:UsersAdministratorDesktop兼容百度浏览器+劫持robots.txtx64Releasedemo.pdb  
    (translation: “compatible with Baidu browser + hijacking robots.txt”
  • C:UsersAdministratorDesktop2023-10-10dllReleasedemo.pdb 
  • C:UsersAdministratorDesktop2023-10-10dllx64Releasedemo.pdb 
  • C:UsersAdministratorDesktop2023-11-02dllReleasedemo.pdb 
  • C:UsersAdministratorDesktop2023-11-02dllx64Releasedemo.pdb 
  • C:UsersAdministratorDesktop2024-05-05-tcpx64Releasedemo.pdb 
  • C:UsersAdministratorDesktop2024-05-05-tcpReleasedemo.pdb 
  • C:UsersAdministratorDesktopJ3x64Releasedemo.pdb 
  • C:UsersAdministratorDesktopdll(cur)Releasedemo.pdb 
  • C:UsersAdministratorDesktopdll(cur)x64Releasedemo.pdb 
  • C:UsersAdministratorDesktop2024-05-05-tcp(过诺顿)xshenReleasedemo.pdb  
    (translation: “bypass Norton”
  • C:UsersAdministratorDesktop2024-05-05-tcp(过诺顿)xshenx64Releasedemo.pdb  
    (translation: “bypass Norton”
  • C:UsersAdministratorDesktop2025-11-21 (x神订制全站劫持按浏览器语言跳转)dllReleasedemo.pdb  
    (translation: “xshen custom site hijacking: redirect based on browser language)” 
  • C:UsersAdministratorDesktop2025-11-21 (x神订制全站劫持按浏览器语言跳转)dllx64Releasedemo.pdb  
    (translation: “xshen custom site hijacking: redirect based on browser language”
  • C:UsersAdministratorDesktopdll20260106Releasedemo.pdb 
  • C:UsersAdministratorDesktopdll20260106x64Releasedemo.pdb

Builder architecture and BadIIS generation 

During our research into these BadIIS campaigns, Talos discovered a builder tool specifically designed for this malware variant. The threat actor utilizes this utility to generate configuration files, JavaScript redirectors, and PHP backlink scripts, as well as to inject custom parameters directly into the BadIIS malware. Figure 3 shows a screenshot of the builder’s interface.

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 3. Builder screenshot.

The observed builder is labeled as “version 1.0,” with an estimated original release year of 2021. However, the application header and compilation timestamp indicate that this specific artifact is an updated build compiled on August 22, 2022. The interface fields and configurable settings perfectly align with known BadIIS capabilities, which can be categorized into four primary functions: 

  • Traffic redirection: The builder allows threat actors to input target URLs, typically JavaScript-based redirectors, designed to be injected into the victim’s browser. This feature forcibly redirects legitimate user traffic to spam infrastructure, such as illegal gambling, adult content, or other malicious websites. 
  • Reverse proxy: This feature manipulates how the compromised server interacts with search engine crawlers. When a crawler visits specific hidden URLs, the BadIIS malware acts as a reverse proxy, silently fetching illicit content from the threat actor’s command-and-control (C2) backend and serving it to the crawler for indexing. Furthermore, the builder includes a toggle to enable this reverse proxy behavior globally, intercepting crawlers even if they do not visit the designated hidden URLs.
  • Content hijacking: The builder includes a site hijacking function capable of replacing the compromised website’s original content for both normal users and search engine crawlers. Threat actors can configure the hijacking rate (percentage of traffic affected), toggle whether the homepage is explicitly targeted, and supply a remote URL to dynamically fetch malicious title, description, and keyword (TDK) metadata. 
  • Internal and backlinks setting: The final component configures the injection of internal links and external backlinks. Internal links force search engines to discover and index the spam pages hosted directly on the compromised server. Meanwhile, external backlinks siphon the compromised server’s Domain Authority, passing that high reputation onto external illicit websites to artificially inflate their search engine rankings.
From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 4. Builder workflow.

Furthermore, operating this builder is not a simple, single-click process. Prior to generating the final payloads, the threat actor must stage unconfigured 32-bit and 64-bit BadIIS binaries within the same directory as the builder. Upon initiating the build process, the builder generates a “config.txt” file based on the threat actor’s configured parameters.

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 5. Configured parameters. 

It then attempts to authenticate with the C2 server by checking for the specific response string “lwxat”. Although the builder does not enforce this validation step — continuing the payload generation process regardless of whether the authentication succeeds or fails — this specific network behavior is highly valuable. Notably, this unique authentication mechanism serves as a critical pivot point, enabling us to identify and attribute other tools developed by the same author.

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 6. Unique authentication mechanism.

The final step of the build process involves obfuscating the C2 server address using a single-byte XOR operation with the key 0x3. Once encoded, the builder embeds these addresses, along with all other configured parameters, directly into the final BadIIS malware under the output folder. This configured and output files are illustrated in Figure 7.

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 7. Configuration embedded in a BadIIS sample. 
From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 8. BadIIS output files and its original name.

Advancement of the builder architecture 

Talos has been tracking multiple cybercrime groups, including those detailed in our previous reports on DragonRank and UAT-8099, that utilize various BadIIS variants to turn global web servers into compromised assets for search engine manipulation. The BadIIS variants deployed by those two groups primarily relied on hardcoded C2 infrastructure and statically compiled payloads to spread. However, the variant characterized by the “demo.pdb” strings represents a significant departure from these previous iterations.

Based on the recovered builder and PDB strings, Talos assesses with moderate confidence that this “demo.pdb” variant is commodity malware, likely sold privately or shared within underground markets. The architecture of this toolset suggests a modular, MaaS business model designed for continuous monetization. The malware developer can initially sell a basic version of BadIIS alongside the builder tool. If a threat actor later requiresan advanced, updated, or customized version (such as the “Norton bypass” or “custom site hijacking: redirect based on browser language” modules), they can request a bespoke payload from the developer and use their existing builder to inject the necessary configurations. Figure 9 shows the workflow Talos assessed.

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 9. Workflow assessed for commodity BadIIS.

Additional tools developed by same author 

By pivoting on the previously identified PDB strings and the authentication mechanism, Talos discovered that this author has developed a suite of additional tools designed to facilitate the installation of BadIIS on target machines. The observed PDB strings are listed below, followed by a detailed analysis of the differences between these tools and their respective capabilities.

  • D:\vc\dll封装进exe\x64\Release\moduleinit.pdb  
    (translation: “DLL packaged into EXE”
  • C:\Users\Administrator\Desktop\2024-05-28\install\x64\Release\install.pdb 
  • C:\Users\Administrator\Desktop\install\x64\Release\install.pdb 
  • C:vcserviceReleaseservice.pdb 
  • C:vcservicex64Releaseservice.pdb 
  • C:UsersAdministratorDesktopserviceReleaseservice.pdb 
  • C:UsersAdministratorDesktopbaosvchostx64Releaseservice.pdb 
  • C:UsersAdministratorDesktop2024-05-26svchostx64Releaseservice.pdb 
  • C:UsersAdministratorDesktopx神的自安装服务svchostx64Releaseservice.pdb
    (translation: “xshen self-installation service”)

Early service‑based installer 

Talos identified an additional tool that we assess with high confidence is linked to the same author. Upon execution, the tool verifies that it is running as a Windows service named “Winlogin.” If this condition is met, it initiates a two-stage C2 communication process. First, it connects to a primary C2 server for authentication. During this phase, the malware validates the connection by checking if the server’s response matches the specific string “lwxat”.

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 10. First C2 server for authentication.

Once authenticated, it connects to a secondary C2 server to download and execute additional malicious payloads on the target machine. Furthermore, the malware uses double Base64 encoding to obfuscate the addresses of both C2 servers.

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 11. Second C2 to download payload.

Configuration‑driven service installer 

Talos observed another service-based tool that dynamically locates and reads an external configuration file to deploy BadIIS onto target machines. This component serves the same operational purpose as the installation batch scripts traditionally observed in earlier BadIIS campaigns. Upon execution, the malware identifies its own absolute path and searches its current directory for a file named “config.txt”. This configuration file uses an XML-like syntax, employing custom tags such as “<globalModules>”, “<name>”, “<path>”, and “<cmd>”. The tool employs a custom parsing routine to segment the file based on these tags, extracting string arrays that dictate its subsequent actions. Using this extracted data, the malware dynamically assembles command-line instructions by iterating through the parsed modules and replacing placeholders like “{name}” and “{path}” with randomized DLL paths and command snippets.

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 12. Configuration tags.

During this assembly phase, the tool specifically prepares commands for both 32-bit and 64-bit BadIIS (e.g., appending “32.dll” /y and “64.dll” /y). These fully-formed commands are then executed, likely via cmd.exe /c, using a function designed to capture the command output.

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 13. Preparing commands for 32-bit BadIIS.

Authentication and configuration‑driven unified tool 

The threat actor continues to update this tool, recently merging two distinct capabilities into a single binary. The malware still impersonates the Winlogin system service for registration and persistence, but it now utilizes a higher volume of command-line executions to successfully install the BadIIS payload. Notably, these command lines closely resemble the syntax used in earlier BadIIS batch scripts. To evade detection by security products, the tool obfuscates its command lines and parameters using a custom Base64 encoding algorithm. A list of the encoded strings and their decoded counterparts is provided below.

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat

Based on the decoded strings and the tool’s code structure, we can categorize the functionality of this upgraded tool into three primary areas. The first group of strings focuses on file discovery, searching for “module.txt”, “.dll”, and “.config” files. The “.config” and “.dll” searches serve the same purpose as in previous versions, targeting IIS configuration files and the BadIIS malware, respectively. The “module.txt” file likely acts as a staging file to temporarily store the IIS modules list before committing changes to the active configuration. Furthermore, this phase targets the “<globalModules>” and “<modules>” sections to register the malicious DLL at the server level. The second group handles payload registration; the tool utilizes specific XML nodes to inject its payloads into the IIS configuration, dynamically replacing placeholders (e.g., “{name32}” and “{path64}”) with actual values. Finally, the third group is responsible for locating the primary BadIIS DLL and establishing its backup location to ensure persistence. However, prior to executing its primary functions, the tool sends a request to the C2 server for authentication. The validation process remains identical to previous versions; the tool verifies the connection by checking if the server’s response matches the specific string “lwxat”.

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 14. Specific string “lwxat” for authentication.

Latest two‑stage installation toolset 

Talos observed that the latest version of the service installation tool is now separated into two distinct files. The workflow is shown in Figure 15.

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 15. Installation workflow.

The first file acts as the primary installer and begins by authenticating with the C2 server. Following successful authentication, it searches for the BadIIS malware, copies the payloads to specific primary and backup directories, and registers them within the IIS server module list to ensure persistence. Subsequently, it drops a secondary malware component, installing it as a Windows service. During our research, Talos observed this secondary malware impersonating legitimate services such as FaxService or AudiosService. Additionally, we recovered customization parameters and execution logs associated with this installer, which provided deeper insights into its overall capabilities.

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 16. Customization parameters and execution logs file.

The commands and parameters embedded in the install are also encoded. Below is a list of the encoded strings and their decoded counterparts.

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat

The secondary malware component functions similarly to the previously described service tool. However, recognizing that security operations centers (SOCs) or antivirus products can easily quarantine or delete the primary BadIIS malware, the author has implemented a robust persistence mechanism. The installer now copies the BadIIS malware not only to the active directory used for hooking IIS requests and responses but also to a hidden backup location. This ensures that the malicious BadIIS is automatically restored and launched every time the compromised IIS server is restarted. The table below provides a list of the encoded strings and their decoded counterparts.

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat

Module initialization dropper 

Alongside the service-based tools, Talos identified another utility that shares the same C2 authentication mechanism, custom Base64 encoding algorithm, and similar code structure. However, rather than operating as a persistent service, this tool functions primarily as a dropper designed to install the BadIIS malware onto the target IIS server. The embedded PDB string (“D:vcdll封装进exex64Releasemoduleinit.pdb”, which translates to “DLL packaged into EXE”) explicitly confirms its purpose: packaging malicious DLL payloads within a standalone executable. The BadIIS are found in the resource and named as “IIS32” and “IIS64” (see Figure 17).

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 17. BadIIS malware in the resource.

The drop location for this BadIIS malware is identical to the one used by the installation script previously documented by Trend Micro.

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 18. BadIIS malware drop location.

“lwxat”: BadIIS author identification 

Through detailed analysis of numerous BadIIS samples, associated tools, and builder artifacts, Talos assesses with moderate-to-high confidence that the string “lwxat” is the author’s alias or handle. This assessment is based on the following converging evidence: 

  • Builder authentication mechanism: The BadIIS builder and service tool uses the string “lwxat” as a hardcoded match string within its authentication routine, suggesting the author embedded their identity into the tool’s access control logic. 
  • Configuration parameter: The string “lwxat” is used as the enable function parameter within the builder’s “config.txt” file, further indicating authorship attribution embedded in the tool’s operational configuration. 
  • User-agent signature: Most notably, several BadIIS malware samples were observed using “lwxatisme” as a custom user-agent string during HTTP communications — a strong behavioral indicator that directly ties the malware to the “lwxat” persona.
From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 19. The custom user-agent string “lwxatisme”.

Additionally, corroborating evidence was identified through PDB path strings found within certain samples. One PDB path contained the Chinese-language string:

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Figure 20. A folder for x神’s requirements.

This suggests that the author created a dedicated development folder for a user or client named “xshen” (x神), indicating that this particular BadIIS variant was a customized build tailored specifically for “xshen’s”requirements that a full-site traffic hijacking with redirection logic based on the victim’s browser language settings.

Collectively, these findings presence of “lwxat” across the builder’s authentication, configuration, and in-the-wild user-agent strings, combined with the PDB path referencing a customized build for “xshen” and provide converging evidence indicating that “lwxat” is the primary developer or operator behind the BadIIS malware family, potentially offering customization services to other threat actors. 

Coverage 

The following ClamAV signatures detect and block this threat: 

  • Win.Malware.BadIIS-10059971-0 
  • Win.Malware.BadIIS-10059977-0 
  • Win.Malware.BadIIS-10059984-0 
  • Win.Malware.BadIIS-10059985-0

The following SNORT® rules (SIDs) detect and block this threat:  

  • Snort2: 1:66400, 1:66399, 1:66398 
  • Snort3: 1:66400, 1:301491 

Indicators of compromise (IOCs) 

The IOCs can also be found in our GitHub repository here.

Cisco Talos Blog – ​Read More

Critical Vulnerability Exposes Industrial Robot Fleets to Hacking

The vulnerability, CVE-2026-8153, affects Universal Robots PolyScope 5 and it can be exploited for OS command injection. 

The post Critical Vulnerability Exposes Industrial Robot Fleets to Hacking appeared first on SecurityWeek.

SecurityWeek – ​Read More

Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account

Cybersecurity researchers have discovered a fresh software supply chain attack campaign that has compromised various npm packages associated with the @antv ecosystem as part of the ongoing Mini Shai-Hulud attack wave.

“The attack affects packages tied to the npm maintainer account atool, including echarts-for-react, a widely used React wrapper for Apache ECharts with roughly 1.1 million weekly

The Hacker News – ​Read More

GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials

In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, actions-cool/issues-helper, to run malicious code that harvests sensitive credentials and exfiltrates them to an attacker-controlled server.

“Every existing tag in the repository has been moved to point to an imposter commit that does not appear in the action’s normal commit history,

The Hacker News – ​Read More

Google I/O 2026 live blog: Updates on Android, Gemini AI, XR, and more we expect

We’re reporting live from Mountain View at Google’s annual developer conference. Stay tuned for the latest updates.

Latest news – ​Read More