BADIIS to the Bone: New Insights to a Global SEO Poisoning Campaign

Feb. 17, 2026, 6:38 p.m.

Description

A Chinese-speaking cybercrime group, REF4033, has orchestrated a massive SEO poisoning campaign, compromising over 1,800 Windows web servers worldwide using the BADIIS malware. The campaign operates in two phases: serving keyword-stuffed HTML to search engine crawlers and redirecting victims to illicit websites. The group deploys BADIIS, a malicious IIS module, to hijack legitimate servers for manipulating search engine rankings and facilitating financial fraud. The campaign primarily targets the APAC region, with China and Vietnam accounting for 82% of compromised servers. Victims span various sectors, including government agencies, educational institutions, and financial services. The attackers use sophisticated techniques for stealth and anti-tampering, employing Chinese encryption standards and commercial obfuscation tools.

External References

https://otx.alienvault.com/pulse/6994ac79976f1ab4e955ca2b
https://www.elastic.co/security-labs/badiis-to-the-bone-new-insights-to-global-seo-poisoning-campaign
Tags
seo poisoning
iis module
search engine manipulation
badiis
2026-02-17
chinese cybercrime
traffic redirection
vice economy
web server compromise

Date

  • Created: Feb. 17, 2026, 5:59 p.m.
  • Published: Feb. 17, 2026, 5:59 p.m.
  • Modified: Feb. 17, 2026, 6:38 p.m.

Indicators

  • 055bdcaa0b69a1e205c931547ef863531e9fdfdaac93aaea29fb701c7b468294
  • 2340f152e8cb4cc7d5d15f384517d756a098283aef239f8cbfe3d91f8722800a
  • 7f2987e49211ff265378349ea648498042cd0817e131da41156d4eafee4310ca
  • c2ff48cfa38598ad514466673b506e377839d25d5dfb1c3d88908c231112d1b2
  • 1b723a5f9725b607926e925d1797f7ec9664bb308c9602002345485e18085b72
  • 1f9e694cac70d089f549d7adf91513f0f7e1d4ef212979aad67a5aea10c6d016
  • c5abe6936fe111bbded1757a90c934a9e18d849edd70e56a451c1547688ff96f
  • http://se.gotz001.com/lunlian/index.php
  • https://vn404.gotz001.com/lunlian/index.php
  • http://kr.gotz001.com/lunlian/index.php
  • https://in.jbtz001.com/lunlian/index.php
  • https://cn.gotz001.com/lunlian/index.php
  • http://kr.gotz003.com/krfml/krfmldz.txt
  • https://pk.jbtz001.com/lunlian/index.php
  • http://kr.gotz003.com/krfml/krfmltz.txt
  • https://cnse.gotz001.com/lunlian/index.php
  • https://vn.gotz001.com/lunlian/index.php
  • https://jp.jbtz001.com/lunlian/index.php
  • http://vn.jbtz001.com/lunlian/index.php
  • https://cn.gotz001.com/lunlian/indexgov.php
  • https://br.jbtz001.com/lunlian/index.php
  • http://kr.gotz003.com/krfml/krfmllj.txt
  • http://bd.gotz001.com/lunlian/index.php
  • https://vnse.jbtz001.com/lunlian/index.php
  • https://vnbtc.jbtz001.com/lunlian/index.php
  • https://cn404.gotz001.com/lunlian/index.php
  • http://kr.gotz003.com/krfml/krfmlip.txt
  • https://cn.jbtz001.com/lunlian/index.php
Download all indicators here!

Attack Patterns

  • BADIIS
  • REF4033

Additional Informations

  • Finance
  • Education
  • Technology
  • Healthcare
  • Government
  • cn.gotz001.com
  • jbtz001.com
  • br.jbtz003.com
  • vnse.jbtz001.com
  • bd.gotz003.com
  • cn.jbtz001.com
  • cnse.gotz003.com
  • cnse.gotz001.com
  • cn404.gotz001.com
  • vn.jbtz003.com
  • in.jbtz001.com
  • pk.jbtz001.com
  • vnbtc.jbtz001.com
  • in.jbtz003.com
  • se.gotz001.com
  • vn404.gotz001.com
  • pk.jbtz003.com
  • wsmres64.idx2.sc
  • cn.jbtz003.com
  • br.jbtz001.com
  • vn.jbtz001.com
  • gotz003.com
  • uupbit.top
  • jbtz003.com
  • vnbtc.jbtz003.com
  • vn.gotz003.com
  • jp.jbtz001.com
  • kr.gotz003.com
  • kr.gotz001.com
  • cn.gotz003.com
  • jp.jbtz003.com
  • bd.gotz001.com
  • gotz001.com
  • vn.gotz001.com
  • Brazil
  • India
  • British Indian Ocean Territory
  • Japan
  • Australia
  • Bangladesh
  • Korea, Democratic People's Republic of
  • Lithuania
  • Nepal
  • Korea, Republic of
  • China