A new cybersecurity investigation has revealed a large-scale cyber fraud operation linked to a Chinese-speaking group named UAT-8099. This group is reportedly involved in SEO manipulation, data theft, and unauthorized access to systems via compromised Microsoft IIS servers. The attackers primarily target regions like India, Thailand, Vietnam, Canada, and Brazil, with victims including universities, tech companies, and telecom providers.
Global Reach and Methodology
First identified in April 2025, UAT-8099 focuses on mobile device users—both Android and iOS—by leveraging high-value IIS servers to manipulate search engine rankings. The cybercriminals execute their campaigns using web shells, open-source tools, Cobalt Strike, and a custom malware family known as BadIIS.
Once they locate a vulnerable IIS server—either through misconfigured settings or known security flaws—they install web shells to perform reconnaissance. After gathering system data, the attackers escalate privileges by enabling guest accounts and then gaining administrator access. This allows them to activate Remote Desktop Protocol (RDP) for full control.
In an effort to maintain exclusive access, the group often blocks other threat actors from breaching the same systems. Their primary backdoor tool during these operations is Cobalt Strike, widely known for post-exploitation capabilities.
Persistence and Malware Use
To establish long-term access, UAT-8099 combines RDP access with VPN tools such as SoftEther VPN, EasyTier, and Fast Reverse Proxy (FRP). The final stage of the attack involves the installation of BadIIS malware, a malicious toolkit also used by other China-linked groups like DragonRank and Operation Rewrite (CL-UNK-1037).
Using a GUI-based tool named Everything, UAT-8099 navigates the compromised servers to extract high-value data—including credentials, certificates, and config files—which are then prepared for sale or further exploitation. The scale of compromised servers remains unknown.
The version of BadIIS used here has been modified to bypass antivirus detection. Like the Gamshen malware seen in previous campaigns, this variant triggers its SEO functionality only when accessed by Googlebot, Google’s web crawler.
SEO Fraud in Action
The BadIIS malware operates in three distinct modes:
- Proxy Mode
Retrieves commands from an encoded command-and-control (C2) address to act as a proxy for malicious data delivery. - Injector Mode
Intercepts Google search traffic and embeds harmful JavaScript into web pages to redirect users to illegal ads or gambling sites. - SEO Fraud Mode
Uses compromised IIS servers to build backlinks that boost site rankings in search engine results.
According to Cisco Talos, the group uses traditional backlinking techniques—a method in which websites link to each other to increase visibility and domain authority. While this can enhance exposure, low-quality backlinking risks penalties from Google, which could downgrade a site’s ranking instead of improving it.
