UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud

Oct. 2, 2025, 4:18 p.m.

Description

A Chinese-speaking cybercrime group, UAT-8099, is targeting high-value Internet Information Services (IIS) servers for search engine optimization fraud and data theft. The group focuses on reputable servers in India, Thailand, Vietnam, Canada, and Brazil, affecting universities, tech firms, and telecom providers. UAT-8099 uses web shells, hacking tools, Cobalt Strike, and BadIIS malware to manipulate search rankings and maintain persistence. They exploit weak file upload settings, enable guest accounts, and use RDP for access. The group also steals valuable credentials, configuration files, and certificates. New BadIIS variants with low detection rates and Chinese debug strings have been identified. The attackers employ SEO techniques like backlinking and inject malicious JavaScript to redirect users to fraudulent websites.

External References

https://github.com/Cisco-Talos/IOCs/blob/main/2025/09/uat-8099-chinese-speaking-cybercrime-group-seo-fraud.txt
https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/
https://otx.alienvault.com/pulse/68de952252a07c88093c6fb4
Tags
data theft
cobalt strike
cybercrime
badiis
chinese-speaking
web shells
seo fraud
2025-10-02
iis servers

Date

  • Created: Oct. 2, 2025, 3:07 p.m.
  • Published: Oct. 2, 2025, 3:07 p.m.
  • Modified: Oct. 2, 2025, 4:18 p.m.

Indicators

  • fee057cee9da92d3d29078e7c30da7472ce99cc2ecaf4e13e8b3d6f266a6d35f
  • f7cc8cf5a8e565c1aa8b7bd524f4f9fac392387de749657cb9d1cf4d694c4ad2
  • f659c4cfe4517a07b9c944cb7818be4022fdc42187766808ad02987a4152a875
  • ee6288fa8e5f111571475211b15522bc987da8421e9687a8089d1edef1df14a2
  • e042f1a9b0a1d69311a5a1bd4eea37cc1a8a02cffe3f9ad5eb0c78fa79f326e2
  • e1342bca7bc4f3ff9453c68cd16532f4e6567a1ada37b6e2635cbc1c1ba325ac
  • cd86344937c7e7c9895fde8eecc682eb347c583e1ded491075aef548a8e255a4
  • cbb4a9172f4b0185d3aecbaa60b8e04d8910889da8905e5089df3efdec0a38dd
  • c85a942a0d17c7accbabbf68ce04635327b757a662687c798e998c983c2a744c
  • b8626f0c45c68f6176540a64e2f8c6d5ac8b942a5ec030b590870a6eaffb931f
  • b3d08508b1e8962e56da007408450e2a40fae8cac1ee7d526914be80e31f6854
  • 993fc46080d49c4ec814b4a3b2bf38faf2a6d59fe8a0638164b6fa27fa66e6e0
  • 980f5ccbcf1b1e56095acf8e63821ef0b365f4db1ca811515e29106b8d0f9d30
  • 94d8eaef036231cd604d0c769f0918e826501644a149876c09e967811c104860
  • 8edfa205175912a6a8d31b821b027a67f0a8413528f6fc02f544fba18d75aa4e
  • 8b2a61f29fdeda908d299515975a4dd3abd1a7508dbe8487bcb2a56fad2ec16f
  • 8b154b9c9b15bc2ec4849c182c926c46bf9de561e4359cbdaf5f0ca90a4f869d
  • 87ffb0bb7d8dd89bfc5d106a07d0c4a4f51c03d355848abcf52fbe8c7087cf5b
  • 879ee17ff9225e2c71d818eea5addd7ce3c41a4100a98bd5d29d4cb4f2dadf22
  • 85cf3c802a97facb5ae4c1e945c5042915017f35bdf1a570754b88710facf3f3
  • 7ddf475abc6e01a1e703f4c54e5a2c8601fef4767b3b1859b78cfdc18b173004
  • 78f813c4474dcb4a1be9354d341bedcae6ef8689828a150c5936c308a0490777
  • 762db01f0dc61a3f4aa1695cb24a92fa21d236d8c5577926337ac1799d6569a5
  • 74eb8d245d5571f3ee9a4e5417fb919034662681ff26a298a3526032307f16a4
  • 7276bc5fe4d29daf7a23a9a68022330290be45cc3a5a1d76e82063135b85ce5c
  • 704ce326c380e4a35594df2b7d9bd17517709378451f3d9788728d01df36d0f6
  • 5a6dd4bb2db005adee56732b96fa6f4ceed47fc42298daf7bb3e6db32b59eac6
  • 5284d5e034aa8c077469d3ef8fb2c09aa041c475703ea99c87855cf6eecf9564
  • 49740a5785f0d6790ee7f82915d2a95866332fc3eaf6fb0da59645404e4aed0c
  • 3fb2fd80c7bc8cf69594ad36b18972eb771585bc5733f456eeef1448e8d77713
  • 3bd3a328dbe4ddefa177f7c367d8d9536a3d0e7debd1648e376534f0c5cac98f
  • 2eedd804c1fa4578485b55f4872145b7f891016510fe88fa760b61b8248dec82
  • 299aabc6b9b03d92a6aed9d12eed45a669e5795763092693ac98322107cf8217
  • 223ebe3875f876a951e700a153901b05e9c166ca6151ca35219c8b544ea30c01
  • 1d17bd82d15331fd9787511da1c7b1c5cf40deef371a43d63ec524b4d90f6b84
  • 1149c50a049dca8ada30247532d0b2f18b94c199b45fd5dc129b5a9fda0991e9
  • 0c532a4a9f398fa2f5e12c2eac00c81ff4a70ac6746cf462c3f2206ed910693f
  • 0c364717dea76cbff870a2dbf2099213615a4caacaa5de61f7271c7eec73759f
  • 0afa8830d2c664a192af94b638ab6b1c096d13e41a7f1886b71ff020e0d9bd93
  • 088fa3063c3015978955b572d5ddcff0838a945ce25665f24cca83d33e039cb9
  • 0511345f452e8c5ff2ca903553ba72f4fcb4f029f72b12e27f6a33e33977e5d2
  • 046417685ad2eb075f33a0f757391df84750d2395fa6f82b1f05359710b7c9b6
  • c922ef32c4ab94f8b870c62883f3e41755ec705db76ec4efb0d343458f1e28c7
  • f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb
  • 36.75.75.75
  • 138.112.25.25
  • 123.181.24.36
  • 71.162.181.51
  • xldll.xijingdafa.com
  • xl.luodixijin.com
  • x5.westooo.com
  • x3.ggseocdn.com
  • x2.ggseocdn.com
  • th1.win123888.com
  • th1.ggseocdn.com
  • tdk.ihack.one
  • suidcbdewjskbcsdjvbwehcsdj.dfbdfwrthgef.top
  • mulu.ihack.one
  • modll.win123888.com
  • mo2dll.win123888.com
  • link.mejsc4.com
  • list.ggseocdn.com
  • joydphp.westooo.com
  • iis.ihack.one
  • joyddll.westooo.com
  • google.dfbdfwrthgef.top
  • ceshi.mejsc4.com
  • cheng.win123888.com
  • cdn.windowserrorapis.com
  • bx.westooo.com
  • bxphp.ggseocdn.com
  • bx.ggseocdn.com
  • aspx2.ggseocdn.com
  • buvmfuwecndskmkvhndfjk.dfbdfwrthgef.top
  • ar.mnnoxzmq.com
  • ar.ggseocdn.com
  • alex.rootggseo.com
  • mejsc1.com
  • meindi11.com
  • 2fgithub.com
Download all indicators here!

Attack Patterns

  • UAT-8099

Additional Informations

  • Technology
  • Education
  • Telecommunications
  • British Indian Ocean Territory
  • India
  • Thailand
  • Canada
  • Brazil