{ "name": "UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud", "slug": "uat-8099-chinese-speaking-cybercrime-group-targets-high-value-iis-for-seo-fraud", "description": "A Chinese-speaking cybercrime group, UAT-8099, is targeting high-value Internet Information Services (IIS) servers for search engine optimization fraud and data theft. The group focuses on reputable servers in India, Thailand, Vietnam, Canada, and Brazil, affecting universities, tech firms, and telecom providers. UAT-8099 uses web shells, hacking tools, Cobalt Strike, and BadIIS malware to manipulate search rankings and maintain persistence. They exploit weak file upload settings, enable guest accounts, and use RDP for access. The group also steals valuable credentials, configuration files, and certificates. New BadIIS variants with low detection rates and Chinese debug strings have been identified. The attackers employ SEO techniques like backlinking and inject malicious JavaScript to redirect users to fraudulent websites.", "published": "2025-10-02T13:07:14+00:00", "created_at": "2025-10-02T13:07:14+00:00", "modified_at": "2025-10-02T14:18:39+00:00", "created_at_opencti": "2025-10-02T13:07:14+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-10-02", "badiis", "chinese-speaking", "cobalt strike", "cybercrime", "data theft", "iis servers", "seo fraud", "web shells" ], "related_entities": { "observables": [ { "id": "", "name": "36.75.75.75" }, { "id": "", "name": "138.112.25.25" }, { "id": "", "name": "123.181.24.36" }, { "id": "", "name": "71.162.181.51" }, { "id": "", "name": "xldll.xijingdafa.com" }, { "id": "", "name": "xl.luodixijin.com" }, { "id": "", "name": "x5.westooo.com" }, { "id": "", "name": "x3.ggseocdn.com" }, { "id": "", "name": "x2.ggseocdn.com" }, { "id": "", "name": "th1.win123888.com" }, { "id": "", "name": "th1.ggseocdn.com" }, { "id": "", "name": "tdk.ihack.one" }, { "id": "", "name": "suidcbdewjskbcsdjvbwehcsdj.dfbdfwrthgef.top" }, { "id": "", "name": "mulu.ihack.one" }, { "id": "", "name": "modll.win123888.com" }, { "id": "", "name": "mo2dll.win123888.com" }, { "id": "", "name": "link.mejsc4.com" }, { "id": "", "name": "list.ggseocdn.com" }, { "id": "", "name": "joydphp.westooo.com" }, { "id": "", "name": "iis.ihack.one" }, { "id": "", "name": "joyddll.westooo.com" }, { "id": "", "name": "google.dfbdfwrthgef.top" }, { "id": "", "name": "ceshi.mejsc4.com" }, { "id": "", "name": "cheng.win123888.com" }, { "id": "", "name": "cdn.windowserrorapis.com" }, { "id": "", "name": "bx.westooo.com" }, { "id": "", "name": "bxphp.ggseocdn.com" }, { "id": "", "name": "bx.ggseocdn.com" }, { "id": "", "name": "aspx2.ggseocdn.com" }, { "id": "", "name": "buvmfuwecndskmkvhndfjk.dfbdfwrthgef.top" }, { "id": "", "name": "ar.mnnoxzmq.com" }, { "id": "", "name": "ar.ggseocdn.com" }, { "id": "", "name": "alex.rootggseo.com" }, { "id": "", "name": "mejsc1.com" }, { "id": "", "name": "meindi11.com" }, { "id": "", "name": "2fgithub.com" }, { "id": "", "name": "fee057cee9da92d3d29078e7c30da7472ce99cc2ecaf4e13e8b3d6f266a6d35f" }, { "id": "", "name": "f7cc8cf5a8e565c1aa8b7bd524f4f9fac392387de749657cb9d1cf4d694c4ad2" }, { "id": "", "name": "f659c4cfe4517a07b9c944cb7818be4022fdc42187766808ad02987a4152a875" }, { "id": "", "name": "ee6288fa8e5f111571475211b15522bc987da8421e9687a8089d1edef1df14a2" }, { "id": "", "name": "e042f1a9b0a1d69311a5a1bd4eea37cc1a8a02cffe3f9ad5eb0c78fa79f326e2" }, { "id": "", "name": "e1342bca7bc4f3ff9453c68cd16532f4e6567a1ada37b6e2635cbc1c1ba325ac" }, { "id": "", "name": "cd86344937c7e7c9895fde8eecc682eb347c583e1ded491075aef548a8e255a4" }, { "id": "", "name": "cbb4a9172f4b0185d3aecbaa60b8e04d8910889da8905e5089df3efdec0a38dd" }, { "id": "", "name": "c85a942a0d17c7accbabbf68ce04635327b757a662687c798e998c983c2a744c" }, { "id": "", "name": "b8626f0c45c68f6176540a64e2f8c6d5ac8b942a5ec030b590870a6eaffb931f" }, { "id": "", "name": "b3d08508b1e8962e56da007408450e2a40fae8cac1ee7d526914be80e31f6854" }, { "id": "", "name": "993fc46080d49c4ec814b4a3b2bf38faf2a6d59fe8a0638164b6fa27fa66e6e0" }, { "id": "", "name": "980f5ccbcf1b1e56095acf8e63821ef0b365f4db1ca811515e29106b8d0f9d30" }, { "id": "", "name": "94d8eaef036231cd604d0c769f0918e826501644a149876c09e967811c104860" }, { "id": "", "name": "8edfa205175912a6a8d31b821b027a67f0a8413528f6fc02f544fba18d75aa4e" }, { "id": "", "name": "8b2a61f29fdeda908d299515975a4dd3abd1a7508dbe8487bcb2a56fad2ec16f" }, { "id": "", "name": "8b154b9c9b15bc2ec4849c182c926c46bf9de561e4359cbdaf5f0ca90a4f869d" }, { "id": "", "name": "87ffb0bb7d8dd89bfc5d106a07d0c4a4f51c03d355848abcf52fbe8c7087cf5b" }, { "id": "", "name": "879ee17ff9225e2c71d818eea5addd7ce3c41a4100a98bd5d29d4cb4f2dadf22" }, { "id": "", "name": "85cf3c802a97facb5ae4c1e945c5042915017f35bdf1a570754b88710facf3f3" }, { "id": "", "name": "7ddf475abc6e01a1e703f4c54e5a2c8601fef4767b3b1859b78cfdc18b173004" }, { "id": "", "name": "78f813c4474dcb4a1be9354d341bedcae6ef8689828a150c5936c308a0490777" }, { "id": "", "name": "762db01f0dc61a3f4aa1695cb24a92fa21d236d8c5577926337ac1799d6569a5" }, { "id": "", "name": "74eb8d245d5571f3ee9a4e5417fb919034662681ff26a298a3526032307f16a4" }, { "id": "", "name": "7276bc5fe4d29daf7a23a9a68022330290be45cc3a5a1d76e82063135b85ce5c" }, { "id": "", "name": "704ce326c380e4a35594df2b7d9bd17517709378451f3d9788728d01df36d0f6" }, { "id": "", "name": "5a6dd4bb2db005adee56732b96fa6f4ceed47fc42298daf7bb3e6db32b59eac6" }, { "id": "", "name": "5284d5e034aa8c077469d3ef8fb2c09aa041c475703ea99c87855cf6eecf9564" }, { "id": "", "name": "49740a5785f0d6790ee7f82915d2a95866332fc3eaf6fb0da59645404e4aed0c" }, { "id": "", "name": "3fb2fd80c7bc8cf69594ad36b18972eb771585bc5733f456eeef1448e8d77713" }, { "id": "", "name": "3bd3a328dbe4ddefa177f7c367d8d9536a3d0e7debd1648e376534f0c5cac98f" }, { "id": "", "name": "2eedd804c1fa4578485b55f4872145b7f891016510fe88fa760b61b8248dec82" }, { "id": "", "name": "299aabc6b9b03d92a6aed9d12eed45a669e5795763092693ac98322107cf8217" }, { "id": "", "name": "223ebe3875f876a951e700a153901b05e9c166ca6151ca35219c8b544ea30c01" }, { "id": "", "name": "1d17bd82d15331fd9787511da1c7b1c5cf40deef371a43d63ec524b4d90f6b84" }, { "id": "", "name": "1149c50a049dca8ada30247532d0b2f18b94c199b45fd5dc129b5a9fda0991e9" }, { "id": "", "name": "0c532a4a9f398fa2f5e12c2eac00c81ff4a70ac6746cf462c3f2206ed910693f" }, { "id": "", "name": "0c364717dea76cbff870a2dbf2099213615a4caacaa5de61f7271c7eec73759f" }, { "id": "", "name": "0afa8830d2c664a192af94b638ab6b1c096d13e41a7f1886b71ff020e0d9bd93" }, { "id": "", "name": "088fa3063c3015978955b572d5ddcff0838a945ce25665f24cca83d33e039cb9" }, { "id": "", "name": "0511345f452e8c5ff2ca903553ba72f4fcb4f029f72b12e27f6a33e33977e5d2" }, { "id": "", "name": "046417685ad2eb075f33a0f757391df84750d2395fa6f82b1f05359710b7c9b6" }, { "id": "", "name": "c922ef32c4ab94f8b870c62883f3e41755ec705db76ec4efb0d343458f1e28c7" }, { "id": "", "name": "f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb" } ], "intrusion_sets": [ { "id": "4f004976-498b-47d9-861e-9041f2ec6736", "name": "UAT-8099", "slug": "uat-8099" } ], "attack_patterns": [ { "id": "4f0fd880-1731-42a7-88ed-97bb3c1c1571", "name": "T1136.001" }, { "id": "7e3e3784-9547-42ca-b888-482972d14be3", "name": "T1528" }, { "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46", "name": "T1059.003" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "ccb28547-a340-4193-a5d9-69222f3d5051", "name": "T1049" }, { "id": "31d29704-da1c-47ea-b93f-76d368813bdf", "name": "T1560" }, { "id": "b9eab970-53dd-4977-9a26-c4fe566e422d", "name": "T1133" }, { "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e", "name": "T1003" } ], "others": [ { "id": "", "name": "British Indian Ocean Territory" }, { "id": "", "name": "India" }, { "id": "", "name": "Thailand" }, { "id": "", "name": "Canada" }, { "id": "", "name": "Brazil" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Education" }, { "id": "", "name": "Telecommunications" } ] }, "external_refs": [ "https://github.com/Cisco-Talos/IOCs/blob/main/2025/09/uat-8099-chinese-speaking-cybercrime-group-seo-fraud.txt", "https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/", "https://otx.alienvault.com/pulse/68de952252a07c88093c6fb4" ] }