UAT-8099

UAT-8099 is a Chinese-speaking cybercrime group involved in search engine optimization (SEO) fraud and theft of high-value credentials, configuration files, and certificate data. Public reporting also describes it as China-linked. Cisco Talos reported the group compromises vulnerable or weakly configured Microsoft Internet Information Services (IIS) servers, including by abusing weak file-upload controls to deploy ASP.NET web shells, then performs reconnaissance, enables or creates privileged accounts, enables RDP, and maintains access with tools including SoftEther VPN, EasyTier, FRP, and GotoHTTP. Talos also reported use of open-source tools, PowerShell, Cobalt Strike, Sharp4RemoveLog, OpenArk64, and CnCrypt Protect. The actor deploys BadIIS malware on compromised IIS servers to hijack HTTP traffic for SEO fraud, including proxying, content injection, backlink injection, and selective redirects to unauthorized advertisements, fake gambling, or illegal gambling sites. Reported BadIIS behavior includes crawler-aware cloaking, such as checking Googlebot or search-engine referrers, and in some cases using the Accept-Language header to target Thai or Vietnamese users. Cisco Talos reported newer region-focused BadIIS clusters including BadIIS IISHijack and BadIIS asdSearchEngine. Elastic Security Labs linked large-scale BADIIS SEO-poisoning activity affecting more than 1,800 Windows servers globally to UAT-8099. Reported victim infrastructure includes IIS servers in India, Thailand, Vietnam, Canada, Brazil, Pakistan, and Japan, with a particular focus on Thailand and Vietnam in late-2025 to early-2026 reporting. Targeted organizations include universities, technology companies, telecommunications providers, government entities, educational institutions, and financial organizations. Talos reported the group primarily targets mobile users as the downstream victims of search-result manipulation. Talos reported persistence via hidden local accounts such as admin$, mysql$, admin1$, admin2$, and power$, and observed the actor collecting and exfiltrating credentials, logs, configuration files, and certificate material, including LSASS dumping with ProcDump and staging stolen data before archiving. Talos also reported that UAT-8099 attempts to retain exclusive control of compromised servers and defend them from competing attackers. Public reporting notes significant operational overlap between UAT-8099 and WEBJACK, including shared malware hashes, command-and-control infrastructure, victimology, and gambling redirects; some reporting recommends treating UAT-8099 and WEBJACK as one practical cluster for hunting and incident response. Known alias/sub-group references directly mentioned in the content include WEBJACK, BadIIS IISHijack, and BadIIS asdSearchEngine.