Overview of the Threat

Security researchers have discovered a sustained cyberattack campaign which targets susceptible Microsoft Internet Information Services (IIS) web servers across multiple Asian countries. The threat group responsible for these operations runs under the name UAT-8099 which security experts believe operates from China. The group conducts its operations through stealth-based methods which enable them to execute fraudulent activities and steal information from secure web systems.

What the Attackers Are Doing

The UAT-8099 project began its initial development phase during 2025 and it remains active until present day 2026. The group targets vulnerable IIS servers that security patches have not yet resolved which exist throughout Thailand Vietnam India Pakistan and Japan.

 The attackers use web shells along with PowerShell scripts to introduce GotoHTTP remote control software which enables them to operate the infected servers from distant locations.

The attackers establish concealed user accounts to achieve persistent access while evading standard security measures. They create new accounts whenever their hidden accounts get disabled.

BadIIS Malware Explained

The primary objective of this campaign uses BadIIS, which operates as a malware family that performs search engine manipulation through its SEO fraud tactics and distribution of harmful content. The malware includes region-specific variants that tailor their behavior based on where the victim server is located.

 

BadIIS scans incoming requests to see if they are search engine crawlers. The malware uses this method to send them to fake websites that generate revenue through illegal activities. Visitors through this method will encounter harmful JavaScript code that will send them to dangerous websites.

 

The two main variants of the system include:

 

• BadIIS IIS Hijack, which targets servers in Vietnam.

 

• BadIISasdSearchEngine, aimed at Thai language sites or servers with Thai user preferences.

The malware versions include dynamic content template loading as well as targeted file type selection which they use to hide their activities while creating minimal disturbance.

Broader Impacts

The campaign operates beyond its basic function of altering search engine results. The attackers who hack into a server will proceed to steal valuable items which include certificates and credentials and configuration files and logs that attackers can either sell or use to conduct additional attacks.

The attackers use their fraudulent activities to exploit the inherent trustworthiness of legitimate websites because they target web servers with strong online reputations.

What Organizations Should Do

Website operators must maintain their IIS servers with current security patches while implementing effective configuration controls. The combination of routine monitoring and intrusion detection together with strict access management processes will decrease the probability of successful security breaches.

Security audits must be conducted regularly while organizations need to implement proactive patching because these measures protect against attacks from UAT-8099 who target existing security weaknesses.