Redazione RHC : 4 October 2025 09:08
A Chinese cybercriminal group known as UAT-8099 has been identified by Cisco Talos as responsible for a large-scale attack campaign. The attacks, which began in April 2025, primarily targeted vulnerable Microsoft Internet Information Services (IIS) servers located in various countries, including India, Thailand, Vietnam, Canada, and Brazil, which were systematically targeted.
Organizations managing IIS servers are advised to immediately apply the latest security patches and restrict the types of file uploads allowed, as users of Android and iOS mobile devices are particularly vulnerable to custom APK download pages and iOS app hosting sites disguised as official resources.
Their illicit activity focuses on altering search engine optimization (SEO) indexes to funnel high-value traffic to unauthorized advertising and illegal gambling sites, while also extracting sensitive data from prestigious institutions.
The first phase of the UAT-8099 campaign involves running automatic scans to detect outdated IIS servers that allow unrestricted file uploads. Once a misconfigured server is detected, operators deploy an open-source ASP.NET web shell , which executes system commands and collects information about the environment.
The presence of this support point allows them to generate a temporary user account, which is then assigned administrator rights, enabling access via the Remote Desktop Protocol (RDP). Following this, the group proceeds to install additional web shells and uses public hacking tools combined with Cobalt Strike to ensure system persistence.
During this phase, Talos researchers identified multiple new versions of the BadIIS malware family. These same variants showed minimal detection by antivirus programs and included debug messages in Simplified Chinese, suggesting continued development by Chinese-speaking attackers.
To consolidate control, UAT-8099 activates RDP, installs SoftEther VPN and the non-centralized EasyTier VPN tool , and configures FRP reverse proxy tunnels. Credential dumping using Procdump and data compression with WinRAR follow. D_Safe_Manage, an IIS security tool used for malicious purposes, is installed to monitor for competing intruders.
When Googlebot is detected, the operator serves specially crafted content and backlinks to search engine crawlers, artificially boosting the server’s reputation and optimizing rankings for malicious sites. Otherwise, human users arriving via search engines are served JavaScript code that automatically redirects them to gambling or advertising sites.
Implementing advanced security solutions, such as stringent password policies and account lockout mechanisms with well-defined thresholds, combined with constant monitoring of web server logs, is a crucial defense against attack techniques like UAT-8099. Adopting endpoint detection tools with behavioral analysis capabilities can also be crucial in identifying anomalous use of web shells and specific beacons like Cobalt Strike.