Dissecting UAT-8099: New persistence mechanisms and regional focus
Essential information
- Published
- 29/01/2026 17:20
- Modified
- 30/01/2026 08:19
- Tags
- 2026-01-29 asia badiis gotohttp iis persistence powershell regional targeting seo fraud thailand vietnam web shells
- Related entities
- 74 observables, 1 intrusion sets (apt), 2 malware, 23 others
Description
UAT-8099, a threat actor targeting vulnerable IIS servers across Asia, has launched a new campaign from late 2025 to early 2026. The group's tactics have evolved, focusing on Thailand and Vietnam, and employing web shells, PowerShell scripts, and the GotoHTTP tool for remote access. New variants of BadIIS malware now include region-specific features, with separate versions targeting Vietnam and Thailand. The actor has expanded their toolkit to include utilities for log removal, file protection, and anti-rootkit capabilities. They've also adapted their persistence methods, creating hidden user accounts and leveraging legitimate tools to evade detection. The campaign demonstrates significant operational overlaps with the WEBJACK campaign, including shared malware hashes, C2 infrastructure, and victimology.