216.73.217.22

WEBJACK: Evolving IIS Hijacking Campaign Abuses SEO for Fraud and Monetization

· Published 19/11/2025 09:01 · Modified 19/11/2025 09:34

Export JSON

Essential information

Published
19/11/2025 09:01
Modified
19/11/2025 09:34
Tags
2025-11-19 badiis chinese threat actor cobalt strike gambling redirection iis hijacking iis modules latin america m0yv seo poisoning southeast asia xlanyloader
Related entities
34 observables, 1 intrusion sets (apt), 11 techniques (mitre), 4 malware, 4 others

Description

A malware campaign called WEBJACK is compromising Microsoft IIS servers to deploy malware modules for and fraud. The attackers hijack high-profile targets, including government and educational institutions, to redirect users to gambling websites. The campaign uses various tools from the Chinese cybercriminal ecosystem, suggesting a Chinese-speaking threat actor. The malicious selectively serve content to search engine crawlers while redirecting or blocking ordinary visitors. The operation spans multiple countries, primarily in and , with a focus on Vietnamese-language targeting. The campaign demonstrates the evolving nature of and the growing trend of leveraging legitimate security tools for malicious purposes.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (34)

  • w5r.sneaws.com
  • w5c.sneaws.com
  • w3c.sneaws.com
  • tdk.jmfwy.com
  • seo.667759.com
  • tdk.hunanduodao.com
  • kaifa.sneaws.com
  • jkt.667759.com
  • jk.667759.com
  • google2.sneaws.com
  • jiankong.sneaws.com
  • google.sneaws.com
  • ttseo66.com
  • mail.tttseo.com
  • ffbad7beab3e0888d6957637f2ec80156402ad540e9c92ebb243fe27bea1f598
  • ffa835cd05558fa52a12e91136c4e8a3e7393b3155a6be7877812c6e7d1ff811
  • e51ea911a281097be040ac2871134e6c7d5c3b37c8b46d2267ad40a18a05d2ec
  • d8c0ef6dbf7d4572f92d3a492f32061ab8f3dd46beb9ff5a0bf9bf550935458c
  • cbbe63d47e377ab93a39d11554b3024760868bf667db388efc62e6f2850b5d89
  • c65dea5d6ab244520a794de0bc9a232050b632b391b3cd3a616661f03d9d2619
  • c9b4657b6aea927bb0f601f2063e743f8702408c98d01ca3332692b29c4d90ca
  • c17d1bb654bfa9ff9f612d37c1204585cfc76d663818a23aac78ba43e35e3df0
  • bab9a644aff24cf313210cc6632f71d935a428ea0efb3823c0dbe6dccabe4b73
  • 9a2fd34e22c5f3d3d5fb96e3cd514dad7b03ed7bf53a87e7d8d9b73987d02ece
  • b0842c9916449de6d4b4159d6c5af747d6fb40609510d6a8d2eb669932c1f661
  • 98d4d3de1af9d8568ededbddad4ed5a2072393985421462f44d12e482a1a36af
  • 86b8605b4870be8c3e83e51b4e3ee80e781a7c5a0104ffa656da651a03579c5a
  • 767576a2b67a3a53883b174a50c83192d0930a4ce213af5f5093e6ee26910d2b
  • 72cf397738724b1f555c147005c61c058619405846460a60b02a2af75b57a81e
  • 6b60b6df8a1a95f51ffe57255c05d26eb9e113857efac3b29d6ef080b8d414f3
  • 561fcf1a2d6cc2170d2b538f416e95d981663984e384da51b36ffe97d2653dcd
  • 48ec6530470b295db455bf2c72dc4fbd18672725f45821304f966d436b428865
  • 00c7efe65ab90c03678359f5ba6b24d9f938a28205652dd61f15d7a31323cf1b
  • 11265422e79f2cd057ee1ae38a16e5db54039711ae8cdb9e177aebfde5666f32

Intrusion sets (APT) (1)

  • WEBJACK
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 18:50 · Modified 21/12/2025 18:50

Techniques (MITRE) (11)

Malware (4)

  • m0yv
    Family
    Published 19/11/2025 09:01 · Modified 19/11/2025 09:01
  • XlAnyLoader
    Family
    Published 19/11/2025 09:01 · Modified 19/11/2025 09:01
  • BadIIS
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
  • Cobalt Strike - S0154
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40

Others (4)

  • France
  • Technology
  • Education
  • Government

External references