WEBJACK: Evolving IIS Hijacking Campaign Abuses SEO for Fraud and Monetization

Nov. 19, 2025, 9:34 a.m.

Description

A malware campaign called WEBJACK is compromising Microsoft IIS servers to deploy BadIIS malware modules for SEO poisoning and fraud. The attackers hijack high-profile targets, including government and educational institutions, to redirect users to gambling websites. The campaign uses various tools from the Chinese cybercriminal ecosystem, suggesting a Chinese-speaking threat actor. The malicious IIS modules selectively serve content to search engine crawlers while redirecting or blocking ordinary visitors. The operation spans multiple countries, primarily in Southeast Asia and Latin America, with a focus on Vietnamese-language targeting. The campaign demonstrates the evolving nature of IIS hijacking and the growing trend of leveraging legitimate security tools for malicious purposes.

External References

https://labs.withsecure.com/publications/webjack
https://otx.alienvault.com/pulse/691d87825037189199f53698
Tags
seo poisoning
cobalt strike
chinese threat actor
latin america
southeast asia
badiis
iis modules
2025-11-19
xlanyloader
iis hijacking
m0yv
gambling redirection

Date

  • Created: Nov. 19, 2025, 9:01 a.m.
  • Published: Nov. 19, 2025, 9:01 a.m.
  • Modified: Nov. 19, 2025, 9:34 a.m.

Indicators

  • ffbad7beab3e0888d6957637f2ec80156402ad540e9c92ebb243fe27bea1f598
  • ffa835cd05558fa52a12e91136c4e8a3e7393b3155a6be7877812c6e7d1ff811
  • e51ea911a281097be040ac2871134e6c7d5c3b37c8b46d2267ad40a18a05d2ec
  • d8c0ef6dbf7d4572f92d3a492f32061ab8f3dd46beb9ff5a0bf9bf550935458c
  • cbbe63d47e377ab93a39d11554b3024760868bf667db388efc62e6f2850b5d89
  • c65dea5d6ab244520a794de0bc9a232050b632b391b3cd3a616661f03d9d2619
  • c9b4657b6aea927bb0f601f2063e743f8702408c98d01ca3332692b29c4d90ca
  • c17d1bb654bfa9ff9f612d37c1204585cfc76d663818a23aac78ba43e35e3df0
  • bab9a644aff24cf313210cc6632f71d935a428ea0efb3823c0dbe6dccabe4b73
  • 9a2fd34e22c5f3d3d5fb96e3cd514dad7b03ed7bf53a87e7d8d9b73987d02ece
  • b0842c9916449de6d4b4159d6c5af747d6fb40609510d6a8d2eb669932c1f661
  • 98d4d3de1af9d8568ededbddad4ed5a2072393985421462f44d12e482a1a36af
  • 86b8605b4870be8c3e83e51b4e3ee80e781a7c5a0104ffa656da651a03579c5a
  • 767576a2b67a3a53883b174a50c83192d0930a4ce213af5f5093e6ee26910d2b
  • 72cf397738724b1f555c147005c61c058619405846460a60b02a2af75b57a81e
  • 6b60b6df8a1a95f51ffe57255c05d26eb9e113857efac3b29d6ef080b8d414f3
  • 561fcf1a2d6cc2170d2b538f416e95d981663984e384da51b36ffe97d2653dcd
  • 48ec6530470b295db455bf2c72dc4fbd18672725f45821304f966d436b428865
  • 00c7efe65ab90c03678359f5ba6b24d9f938a28205652dd61f15d7a31323cf1b
  • 11265422e79f2cd057ee1ae38a16e5db54039711ae8cdb9e177aebfde5666f32
  • w5r.sneaws.com
  • w5c.sneaws.com
  • w3c.sneaws.com
  • tdk.jmfwy.com
  • seo.667759.com
  • tdk.hunanduodao.com
  • kaifa.sneaws.com
  • jkt.667759.com
  • jk.667759.com
  • google2.sneaws.com
  • jiankong.sneaws.com
  • google.sneaws.com
  • ttseo66.com
  • mail.tttseo.com
Download all indicators here!

Attack Patterns

  • m0yv
  • XlAnyLoader
  • BadIIS
  • Cobalt Strike - S0154
  • WEBJACK

Additional Informations

  • Technology
  • Education
  • Government
  • France