Listen to this Post
A new cyber campaign is sweeping across Asia, with the threat actor UAT-8099 focusing on vulnerable Internet Information Services (IIS) servers in Thailand and Vietnam. Active from late 2025 through early 2026, this operation signals a strategic shift toward highly localized attacks, using tailored malware variants and advanced persistence methods. Researchers have noted substantial overlap with the earlier WEBJACK campaign, suggesting the actor’s growing sophistication and evolving tactics. This campaign not only exploits weak server configurations but also integrates legitimate tools to avoid detection, making it particularly challenging for defenders.
Targeted Operations and Malware Deployment
UAT-8099 initiates attacks by gaining access to vulnerable IIS servers and performing basic reconnaissance, including commands like whoami and tasklist. The group increasingly uses red team utilities and legitimate software to stay under the radar. Central to their operation is GotoHTTP, a remote control tool delivered via malicious VBScript, which allows attackers to maintain persistent access.
Additional tools strengthen their foothold and erase traces of malicious activity:
Tool Function
Sharp4RemoveLog Clears Windows event logs to remove forensic traces
CnCrypt Protect Open-source anti-rootkit, terminates security product processes via kernel access
OpenArk64 Another anti-rootkit for terminating security processes
GotoHTTP Legitimate remote control tool for persistent access
The campaign features region-specific malware variants. BadIIS IISHijack targets Vietnam by embedding country codes and using localized directory names, while BadIIS asdSearchEngine targets Thailand, analyzing HTTP headers to detect Thai users and injecting malicious JavaScript when detected. Directory structures correspond to the target region, such as C:/Users/mssql$/Desktop/VN/ for Vietnam and C:/Users/mssql$/Desktop/newth/ for Thailand.
Persistence strategies have also evolved. After hidden accounts like “admin” were widely flagged, UAT-8099 began deploying alternative hidden accounts such as “mysql”, “admin1”, “admin2”, and “power” to redeploy malware components like fasthttp.dll and cgihttp.dll.
SEO Fraud and Content Injection
The ultimate goal of BadIIS infections remains SEO fraud. The malware dynamically generates web pages from HTML templates containing spam keywords. Using Pinyin variable names such as {biaoti} (title) and {guanjianci} (keywords), it populates pages with promoted content while carefully avoiding static assets like images and stylesheets. Only dynamic pages (.aspx, .php) are targeted for injection.
In October 2025, a Linux ELF variant of BadIIS surfaced on VirusTotal, demonstrating cross-platform capabilities. This Linux version mirrors Windows functionality—proxy, injector, and SEO fraud modes—but specifically targets search engine crawlers from Google, Bing, and Yahoo. Security systems detect these threats under signatures like Windows.Trojan.BadIIS and Unix.Trojan.BadIIS. Network defenders should watch for unauthorized hidden accounts and traffic to known C2 servers.
What Undercode Say:
UAT-8099’s campaign represents a significant escalation in regionalized cyber operations. Unlike broad, untargeted attacks, this campaign demonstrates a precision focus, tailoring malware for specific countries. By embedding local identifiers in the malware and using headers to identify target users, the actor ensures infections are highly efficient and harder to detect.
The evolution from simple hidden accounts to multiple alternative accounts indicates an adaptive strategy to bypass security controls. This shows a threat actor not only responding to defensive measures but anticipating them. The integration of legitimate tools like GotoHTTP and SoftEther VPN is particularly concerning, as these tools can mask malicious activity and confuse traditional detection mechanisms.
The SEO fraud component reflects a shift from purely destructive or espionage-focused malware to financially motivated operations. Generating content dynamically with intelligent filtering avoids breaking infected sites, prolonging the campaign’s effectiveness and increasing revenue potential for the actor.
Cross-platform functionality is a major red flag. With both Windows and Linux targets, UAT-8099 demonstrates versatility that could threaten web infrastructure across mixed-server environments. Security teams must not only patch IIS vulnerabilities but also monitor hidden accounts, dynamic content injections, and unusual network traffic.
Operationally, this campaign suggests a professionalized approach reminiscent of red team exercises. By combining malware, legitimate software, and precise targeting, UAT-8099 is effectively running a stealthy commercial-grade attack. Any organization hosting IIS servers in Southeast Asia—or globally if the Linux variant spreads—should immediately assess exposure and implement hardened monitoring.
Fact Checker Results:
✅ Campaign active from late 2025 through early 2026 – confirmed by Talos Intelligence.
✅ Targets localized to Thailand and Vietnam, with distinct malware variants – validated by IoCs.
✅ Cross-platform capability confirmed via Linux ELF variant uploaded to VirusTotal – verified.
Prediction:
⚠️ UAT-8099 is likely to expand its regional targeting across other Southeast Asian countries in 2026.
⚠️ The malware’s SEO fraud mechanism may evolve into more sophisticated web monetization schemes, potentially exploiting AI-generated content.
⚠️ Security teams will need to adopt proactive threat-hunting strategies for hidden accounts and cross-platform exploits to prevent large-scale infections.
If you want, I can also create a visual attack chain diagram for UAT-8099 that maps the tools, persistence mechanisms, and SEO fraud flow—it would make this report extremely clear for operational teams. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
