1 malware family

CL-UNK-1037

Also known asCL-UNK-1037

CL-UNK-1037 is Palo Alto Networks Unit 42’s tracking moniker for activity dubbed “Operation Rewrite,” operating in the broader BadIIS/SEO-poisoning ecosystem targeting IIS web servers. The activity involves compromising IIS instances and deploying mechanisms to intercept HTTP traffic and selectively inject or redirect users to gambling/scam content, using cloaking such as serving different content to crawlers vs. browsers and triggering redirects based on the presence of search-engine referrers. Unit 42 reports CL-UNK-1037 can implement this objective via multiple server-side approaches including native IIS modules, ASP.NET handlers, managed .NET IIS modules, and a PHP front-controller rewrite model. Unit 42 assesses CL-UNK-1037 as a high-confidence Chinese-speaking operator based on linguistic and infrastructure artifacts. Unit 42 also reports a moderate-confidence link to ESET “Group 9” based on design and direct C2 domain-family overlap (e.g., 008php/yyphw/300bt subdomain families), and a low-confidence connection to Talos’ DragonRank based on similarity without infrastructure overlap. Known alias: Operation Rewrite.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics2 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1608

Stage Capabilities

T1608.003

Install Digital Certificate

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BADIIS"...alters SEO rankings using web shells, open-source hacking tools, Cobalt Strike, and various BadIIS malware..."1Mar 18, 2026

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Likely Chinese-speaking cluster conducting SEO poisoning (Operation Rewrite) to redirect traffic and plant web shells (BadIIS).

alphahunt blogNews

Feb 10, 2026

[DEEP RESEARCH] BadIIS Isn’t Enough: The IIS Module + HTTP Fingerprints That Catch SEO-Fraud Cloaking

Adjacent IIS SEO-poisoning cluster that can implement the same objective via multiple web-stack mechanisms (native IIS modules, ASP.NET handlers, managed .NET IIS modules, and PHP front-controller 'rewrite' model); discussed as ecosystem-adjacent to UAT-8099/WEBJACK rather than a proven alias.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.