216.73.217.22

UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud

· Published 02/10/2025 15:07 · Modified 02/10/2025 16:18

Export JSON

Essential information

Published
02/10/2025 15:07
Modified
02/10/2025 16:18
Tags
2025-10-02 badiis chinese-speaking cobalt strike cybercrime data theft iis servers seo fraud web shells
Related entities
80 observables, 1 intrusion sets (apt), 10 techniques (mitre), 8 others

Description

A group, UAT-8099, is targeting high-value Internet Information Services (IIS) servers for search engine optimization fraud and . The group focuses on reputable servers in India, Thailand, Vietnam, Canada, and Brazil, affecting universities, tech firms, and telecom providers. UAT-8099 uses , hacking tools, , and malware to manipulate search rankings and maintain persistence. They exploit weak file upload settings, enable guest accounts, and use RDP for access. The group also steals valuable credentials, configuration files, and certificates. New variants with low detection rates and Chinese debug strings have been identified. The attackers employ SEO techniques like backlinking and inject malicious JavaScript to redirect users to fraudulent websites.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (80)

  • 36.75.75.75
  • 138.112.25.25
  • 123.181.24.36
  • 71.162.181.51
  • xldll.xijingdafa.com
  • xl.luodixijin.com
  • x5.westooo.com
  • x3.ggseocdn.com
  • x2.ggseocdn.com
  • th1.win123888.com
  • th1.ggseocdn.com
  • tdk.ihack.one
  • suidcbdewjskbcsdjvbwehcsdj.dfbdfwrthgef.top
  • mulu.ihack.one
  • modll.win123888.com
  • mo2dll.win123888.com
  • link.mejsc4.com
  • list.ggseocdn.com
  • joydphp.westooo.com
  • iis.ihack.one
  • joyddll.westooo.com
  • google.dfbdfwrthgef.top
  • ceshi.mejsc4.com
  • cheng.win123888.com
  • cdn.windowserrorapis.com
  • bx.westooo.com
  • bxphp.ggseocdn.com
  • bx.ggseocdn.com
  • aspx2.ggseocdn.com
  • buvmfuwecndskmkvhndfjk.dfbdfwrthgef.top
  • ar.mnnoxzmq.com
  • ar.ggseocdn.com
  • alex.rootggseo.com
  • mejsc1.com
  • meindi11.com
  • 2fgithub.com
  • fee057cee9da92d3d29078e7c30da7472ce99cc2ecaf4e13e8b3d6f266a6d35f
  • f7cc8cf5a8e565c1aa8b7bd524f4f9fac392387de749657cb9d1cf4d694c4ad2
  • f659c4cfe4517a07b9c944cb7818be4022fdc42187766808ad02987a4152a875
  • ee6288fa8e5f111571475211b15522bc987da8421e9687a8089d1edef1df14a2
  • e042f1a9b0a1d69311a5a1bd4eea37cc1a8a02cffe3f9ad5eb0c78fa79f326e2
  • e1342bca7bc4f3ff9453c68cd16532f4e6567a1ada37b6e2635cbc1c1ba325ac
  • cd86344937c7e7c9895fde8eecc682eb347c583e1ded491075aef548a8e255a4
  • cbb4a9172f4b0185d3aecbaa60b8e04d8910889da8905e5089df3efdec0a38dd
  • c85a942a0d17c7accbabbf68ce04635327b757a662687c798e998c983c2a744c
  • b8626f0c45c68f6176540a64e2f8c6d5ac8b942a5ec030b590870a6eaffb931f
  • b3d08508b1e8962e56da007408450e2a40fae8cac1ee7d526914be80e31f6854
  • 993fc46080d49c4ec814b4a3b2bf38faf2a6d59fe8a0638164b6fa27fa66e6e0
  • 980f5ccbcf1b1e56095acf8e63821ef0b365f4db1ca811515e29106b8d0f9d30
  • 94d8eaef036231cd604d0c769f0918e826501644a149876c09e967811c104860
  • 8edfa205175912a6a8d31b821b027a67f0a8413528f6fc02f544fba18d75aa4e
  • 8b2a61f29fdeda908d299515975a4dd3abd1a7508dbe8487bcb2a56fad2ec16f
  • 8b154b9c9b15bc2ec4849c182c926c46bf9de561e4359cbdaf5f0ca90a4f869d
  • 87ffb0bb7d8dd89bfc5d106a07d0c4a4f51c03d355848abcf52fbe8c7087cf5b
  • 879ee17ff9225e2c71d818eea5addd7ce3c41a4100a98bd5d29d4cb4f2dadf22
  • 85cf3c802a97facb5ae4c1e945c5042915017f35bdf1a570754b88710facf3f3
  • 7ddf475abc6e01a1e703f4c54e5a2c8601fef4767b3b1859b78cfdc18b173004
  • 78f813c4474dcb4a1be9354d341bedcae6ef8689828a150c5936c308a0490777
  • 762db01f0dc61a3f4aa1695cb24a92fa21d236d8c5577926337ac1799d6569a5
  • 74eb8d245d5571f3ee9a4e5417fb919034662681ff26a298a3526032307f16a4
  • 7276bc5fe4d29daf7a23a9a68022330290be45cc3a5a1d76e82063135b85ce5c
  • 704ce326c380e4a35594df2b7d9bd17517709378451f3d9788728d01df36d0f6
  • 5a6dd4bb2db005adee56732b96fa6f4ceed47fc42298daf7bb3e6db32b59eac6
  • 5284d5e034aa8c077469d3ef8fb2c09aa041c475703ea99c87855cf6eecf9564
  • 49740a5785f0d6790ee7f82915d2a95866332fc3eaf6fb0da59645404e4aed0c
  • 3fb2fd80c7bc8cf69594ad36b18972eb771585bc5733f456eeef1448e8d77713
  • 3bd3a328dbe4ddefa177f7c367d8d9536a3d0e7debd1648e376534f0c5cac98f
  • 2eedd804c1fa4578485b55f4872145b7f891016510fe88fa760b61b8248dec82
  • 299aabc6b9b03d92a6aed9d12eed45a669e5795763092693ac98322107cf8217
  • 223ebe3875f876a951e700a153901b05e9c166ca6151ca35219c8b544ea30c01
  • 1d17bd82d15331fd9787511da1c7b1c5cf40deef371a43d63ec524b4d90f6b84
  • 1149c50a049dca8ada30247532d0b2f18b94c199b45fd5dc129b5a9fda0991e9
  • 0c532a4a9f398fa2f5e12c2eac00c81ff4a70ac6746cf462c3f2206ed910693f
  • 0c364717dea76cbff870a2dbf2099213615a4caacaa5de61f7271c7eec73759f
  • 0afa8830d2c664a192af94b638ab6b1c096d13e41a7f1886b71ff020e0d9bd93
  • 088fa3063c3015978955b572d5ddcff0838a945ce25665f24cca83d33e039cb9
  • 0511345f452e8c5ff2ca903553ba72f4fcb4f029f72b12e27f6a33e33977e5d2
  • 046417685ad2eb075f33a0f757391df84750d2395fa6f82b1f05359710b7c9b6
  • c922ef32c4ab94f8b870c62883f3e41755ec705db76ec4efb0d343458f1e28c7
  • f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb

Intrusion sets (APT) (1)

  • UAT-8099
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 18:10 · Modified 21/12/2025 18:10

Techniques (MITRE) (10)

  • T1136.001
    Local Account
  • T1528
    Steal Application Access Token
  • T1059.003
    Windows Command Shell
  • T1005
    Data from Local System
  • T1057
    Process Discovery
  • T1083
    File and Directory Discovery
  • T1049
    System Network Connections Discovery
  • T1560
    Archive Collected Data
  • T1133
    External Remote Services
  • T1003
    OS Credential Dumping

Others (8)

  • British Indian Ocean Territory
  • India
  • Thailand
  • Canada
  • Brazil
  • Technology
  • Education
  • Telecommunications

External references