New Delhi: More than 1,800 Windows servers worldwide have been compromised in a large-scale cyber operation driven by a stealthy malware strain known as BADIIS, turning legitimate web infrastructure into an underground SEO poisoning network.
The campaign is designed to manipulate search engine results, redirecting unsuspecting users to illegal online gambling platforms and fraudulent cryptocurrency websites. Cybersecurity researchers say the attackers are monetising hacked servers while remaining largely invisible to administrators and end users.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
According to analysts, the operation primarily targets web servers running Internet Information Services (IIS). Once infected, the servers continue to appear normal to site owners, while search engine crawlers are secretly served altered content packed with SEO keywords and malicious backlinks.
The global campaign was uncovered by Elastic Security Labs, whose forensic investigation revealed that BADIIS embeds itself deep inside the server’s core processes. This allows the malware to intercept and modify HTTP traffic in real time, selectively redirecting visitors to attacker-controlled destinations without disrupting routine website operations.
Government agencies, universities among victims
Researchers say infected systems have been identified across multiple countries, cutting across sectors that include government departments, educational institutions and financial organisations. A significant concentration of victims has been observed in the Asia–Pacific region, pointing to a deliberate effort to exploit specific regional internet usage patterns.
Security teams warn that the breadth of affected industries underscores the operational maturity of the threat actors, who are believed to be running a highly coordinated infrastructure designed for long-term persistence and profit.
Hidden inside IIS, nearly invisible to traditional defenses
What makes BADIIS particularly dangerous is its deployment as a malicious native IIS module rather than a standalone process. By loading directly into the IIS worker process, the malware blends in with legitimate server activity, making detection extremely difficult for conventional security tools.
Every incoming HTTP request is inspected. When BADIIS detects user-agent strings linked to search engine crawlers such as Google’s Googlebot, it injects SEO content into the response to artificially boost the ranking of malicious sites.
In contrast, system administrators and regular visitors are shown clean, original pages — a split-view technique that allows the compromise to remain hidden while actively poisoning search results.
Adding to its stealth, the malware relies on direct system calls to bypass Endpoint Detection and Response (EDR) hooks, helping it evade monitoring and maintain persistence on infected machines.
What organisations should do
Cybersecurity specialists are urging organisations to immediately audit their IIS environments and review all installed modules for unsigned or unfamiliar components. Any suspicious modules should be removed at once.
Teams are also advised to monitor for unusual outbound connections originating from IIS worker processes and ensure that all Windows servers are fully patched against known vulnerabilities. Network segmentation and tighter access controls can further reduce exposure to similar attacks.
Experts say the campaign highlights a growing shift in attacker tactics — from simple data theft to large-scale abuse of the search ecosystem itself. By leveraging SEO poisoning, threat actors are turning compromised servers into revenue-generating assets, often without site owners realising anything is wrong.
Within cybersecurity circles, the BADIIS operation is being described as one of the most organised and stealthy web-infrastructure attacks in recent months — a stark reminder that even minor lapses in server security can escalate into a global threat.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
