Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign
Sept. 25, 2025, 2:46 p.m.
Description
A Chinese-speaking threat actor group, tracked as CL-UNK-1037, has been conducting a large-scale SEO poisoning campaign called Operation Rewrite. The attackers use a malicious IIS module named BadIIS to intercept and alter web traffic on compromised servers, manipulating search engine results to redirect users to malicious sites. The campaign primarily targets East and Southeast Asia, with a focus on Vietnam. The attackers employ various tools including native IIS modules, ASP.NET handlers, and PHP scripts. The operation shows links to previously known threat groups like Group 9 and possibly DragonRank. The campaign demonstrates sophisticated techniques for search result manipulation and traffic redirection, posing significant risks to unsuspecting internet users.
Tags
Date
- Created: Sept. 25, 2025, 9:20 a.m.
- Published: Sept. 25, 2025, 9:20 a.m.
- Modified: Sept. 25, 2025, 2:46 p.m.
Indicators
- ed68c5a8c937cd55406c152ae4a2780bf39647f8724029f04e1dce136eb358ea
- e2e00fd57d177e4c90c1e6a973cae488782f73378224f54cf1284d69a88b6805
- de570369194da3808ab3c3de8fb7ba2aac1cc67680ebdc75348b309e9a290d37
- d8a7320e2056daf3ef4d479ff1bb5ce4facda67dfc705e8729aeca78d6f9ca84
- d6a0763f6ef19def8a248c875fd4a5ea914737e3914641ef343fe1e51b04f858
- c6622e2900b8112e8157f923e9fcbd48889717adfe1104e07eb253f2e90d2c6a
- c5455c43f6a295392cf7db66c68f8c725029f88e089ed01e3de858a114f0764f
- bc3bba91572379e81919b9e4d2cbe3b0aa658a97af116e2385b99b610c22c08c
- b95a1619d1ca37d652599b0b0a6188174c71147e9dc7fb4253959bd64c4c1e9f
- b056197f093cd036fa509609d80ece307864806f52ab962901939b45718c18a8
- ab0b548931e3e07d466ae8598ca9cd8b10409ab23d471a7124e2e67706a314e8
- a73c7f833a83025936c52a8f217c9793072d91346bb321552f3214efdeef59eb
- a393b62df62f10c5c16dd98248ee14ca92982e7ac54cb3e1c83124c3623c8c43
- 88de33754e96cfa883d737aea7231666c4e6d058e591ef3b566f5c13a88c0b56
- 82096c2716a4de687b3a09b638e39cc7c12959bf380610d5f8f9ac9cddab64d7
- 8078fa156f5ab8be073ad3f616a2302f719713aac0f62599916c5084dd326060
- 78ef67ec600045b7deb8b8ac747845119262bea1d51b2332469b1f769fb0b67d
- 6d79b32927bac8020d25aa326ddf44e7d78600714beacd473238cc0d9b5d1ccf
- 6d044b27cd3418bf949b3db131286c8f877a56d08c3bbb0924baf862a6d13b27
- 6cff06789bf27407aa420e73123d4892a8f15cae9885ff88749fd21aa6d0e8ad
- 5aa684e90dd0b85f41383efe89dddb2d43ecbdaf9c1d52c40a2fdf037fb40138
- 40a0d0ee76b72202b63301a64c948acb3a4da8bac4671c7b7014a6f1e7841bd2
- 36bf18c3edd773072d412f4681fb25b1512d0d8a00aac36514cd6c48d80be71b
- 2af61e5acc4ca390d3bd43bc649ab30951ed7b4e36d58a05f5003d92fde5e9a7
- 271c1ddfdfb6ba82c133d1e0aac3981b2c399f16578fcf706f5e332703864656
- 23aa7c29d1370d31f2631abd7df4c260b85227a433ab3c7d77e8f2d87589948f
- 22a9e1675bd8b8d64516bd4be1f07754c8f4ad6c59a965d0e009cbeaca6147a7
- 22a4f8aead6aef38b0dc26461813499c19c6d9165d375f85fb872cd7d9eba5f9
- 1c870ee30042b1f6387cda8527c2a9cf6791195e63c5126d786f807239bd0ddc
- 01a616e25f1ac661a7a9c244fd31736188ceb5fce8c1a5738e807fdbef70fd60
- 160.30.173.87
- 103.6.235.78
- 103.6.235.26
- www.victim.com
- www.massnetworks.org
- https://sl.008php.com/kt.html
- https://fb88s.icu/uu/tt.js
- http://x404.008php.com/zz/u.php
- http://x404.008php.com/index.php
- http://www.massnetworks.org
- http://vn404.008php.com/zz/u.php
- http://vn404.008php.com/index.php
- http://cs.pyhycy.com/zz/u.php
- http://cs.pyhycy.com/index.php
- http://404.yyphw.com/zz/u.php
- http://404.yyphw.com/index.php
- http://404.pyhycy.com/zz/u.php
- http://404.pyhycy.com/index.php
- http://404.hzyzn.com/zz/u.php
- http://404.hzyzn.com/index.php
- http://404.hao563.com/zz/u.php
- http://404.hao563.com/index.php
- http://404.300bt.com/index.php
- http://404.008php.com/zz/u.php
- http://404.008php.com/
- http://404.300bt.com/zz/u.php
- x404.008php.com
- vn404.008php.com
- sl.008php.com
- sc.300bt.com
- qp.008php.com
- fcp.yyphw.com
- cs.pyhycy.com
- 404.yyphw.com
- 404.pyhycy.com
- 404.hzyzn.com
- 404.hao563.com
- 404.300bt.com
- 404.008php.com
- fb88s.icu
- 008php.com