A Chinese-speaking cybercrime group known as “UAT-8099” has quietly engineered a global SEO fraud infrastructure by compromising Microsoft IIS web servers in multiple countries. Researchers say the attackers manipulated search rankings and harvested valuable credentials through hidden web shells and custom malware deployed on unsuspecting servers.
The operation, active since early 2025, spans India, Brazil, Canada, Thailand and Vietnam—and experts warn it may mark a new frontier in monetizing compromised infrastructure at scale.
Seeding the Fraud Network: Compromised IIS Servers as Launchpad
Security analysts at Cisco Talos first flagged UAT-8099 in October 2025 after noticing anomalous traffic transformations on IIS (Internet Information Services) servers. Rather than attacking end-user devices directly, the group focuses on servers with public-facing websites and relatively high domain authority—universities, telecom providers, and tech firms.
Once a server is penetrated—often via weak upload settings or unpatched vulnerabilities—the attackers deploy a multi-step chain: web shells, privilege escalation (including via guest accounts), Remote Desktop Protocol backdoors, VPN or reverse-proxy tunneling, and finally concealment of the initial entry point.
Importantly, the malware only activates its “SEO fraud” mode when requests originate from Googlebot user agents. At that point, the server is transformed into a redirect engine or backlink farmer, pushing traffic (and SEO value) to sites of the attackers’ choosing.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
Mechanics of the Scam: From Web Shells to Backlinking
The fraud chain revolves around a customized variant of malware dubbed BadIIS, which carries three functional modes:
-
Proxy mode — acts as a stealth fetcher of content via encoded command-and-control (C2) servers
-
Injector mode — intercepts responses to Googlebot crawls and inserts JavaScript or redirect scripts
-
SEO fraud mode — surreptitiously adds backlinks or hidden links, inflating the target site’s search ranking metrics
In practice, once the malware is embedded, UAT-8099 can quietly sell “ranking power” or traffic to paying clients—without needing to host visible content themselves. This model allows for scalable monetization of infected infrastructure.
To avoid detection, the attackers deploy obfuscation techniques, server hardening (to block subsequent attackers), and careful timing of delivery. They also integrate popular hacking tools (such as Cobalt Strike) and employ custom scripts automated for stealth.
Geographic Footprint and Target Selection
Analysis so far shows that a significant number of the compromised servers lie in India, Thailand, Vietnam, Canada, and Brazil.
In India, the sectors hit include universities and telecom operators—organizations with both public assets and often stretched security budgets. The group appears to prefer servers with preexisting exposure or lax configurations rather than conducting zero-day network exploits.
According to researchers, some of the backlinks and redirect chains lead to gambling, adult content, or “lead-generation” pages—a common revenue stream in SEO fraud. Over time, UAT-8099 may expand into other monetization models, such as phishing, credential resale or targeted campaigns leveraging their foothold.
Challenges of Attribution and Defense
Attributing this operation to a Chinese-speaking group raises familiar difficulties in cybercrime: linguistic traces can be misleading; tooling and techniques are shared; and deliberate false flags are common. Still, researchers see connections between BadIIS methods and earlier threat clusters like DragonRank and Operation Rewrite, which also used SEO fraud via compromised IIS servers.
From a defense standpoint, the architecture is difficult to detect. Because the malicious behavior is conditionally triggered (only when Googlebot crawlers visit), standard web application firewalls or malware scanners might not see anomalous behavior in normal browsing traffic.
Mitigations offered by cybersecurity experts include:
-
Rigorous patch management of IIS servers
-
Monitoring for unexpected outbound connections or proxying
-
Integrity checks on response content during Googlebot visits
-
Segregation of critical systems
-
Threat hunting to detect web shells and unusual privilege escalations
Even so, systemic challenges—especially in under-resourced public institutions—mean many vulnerable servers may remain unprotected.
