UAT-8099 SEO Fraud Campaign
Cybersecurity researchers have recently uncovered a Chinese-speaking cybercrime group codenamed UAT-8099, responsible for sophisticated attacks targeting Microsoft Internet Information Services (IIS) servers. This group engages in search engine optimization (SEO) fraud and the theft of high-value credentials, configuration files, and certificate data, posing significant risks to organizations worldwide.
Table of Contents
Global Reach and Target Profile
The group's activity has been primarily observed in India, Thailand, Vietnam, Canada, and Brazil, affecting universities, tech firms, and telecom providers. First detected in April 2025, UAT-8099's attacks mainly focus on mobile users, spanning both Android and iOS devices.
This actor is part of a growing wave of China-linked threat clusters engaging in SEO fraud. For context, a recent campaign by another actor, GhostRedirector, compromised at least 65 Windows servers using a malicious IIS module codenamed Gamshen, targeting similar regions.
Attack Methods and Initial Access
UAT-8099 carefully selects high-value IIS servers in target regions and exploits security vulnerabilities or weak file upload configurations. Their approach involves:
- Uploading web shells to gather system information.
- Escalating privileges via the guest account, reaching administrator-level access.
- Enabling Remote Desktop Protocol (RDP) for continued access.
The group also takes steps to secure the initial foothold, preventing other threat actors from compromising the same servers. Cobalt Strike is deployed as the primary backdoor for post-exploitation activity.
Persistence and Malware Deployment
To maintain long-term control, UAT-8099 combines RDP with VPN tools such as SoftEther VPN, EasyTier, and Fast Reverse Proxy (FRP). The attack chain culminates with the installation of BadIIS malware, a tool used by multiple Chinese-speaking clusters including DragonRank and Operation Rewrite (CL-UNK-1037).
Once inside, the actor uses GUI tools like Everything to locate and exfiltrate valuable data for resale or further exploitation. The exact number of compromised servers remains unknown.
The BadIIS Malware: Modes and Functionality
The deployed BadIIS variant has been specifically modified to evade antivirus detection and mirrors the functionality of Gamshen. Its SEO manipulation activates only when requests originate from Googlebot. BadIIS operates in three main modes:
Proxy Mode: Extracts encoded C2 server addresses and uses them as proxies to retrieve content from secondary servers.
Injector Mode: Intercepts browser requests from Google search results, retrieves JavaScript from the C2 server, embeds it into the HTML response, and redirects users to unauthorized sites or advertisements.
SEO Fraud Mode: Compromises multiple IIS servers to artificially boost search engine rankings using backlinks.
SEO Fraud and Backlinking Tactics
UAT-8099 employs backlinking, a standard SEO strategy, to increase website visibility. Google evaluates backlinks to discover new pages and measure keyword relevance. While more backlinks can improve rankings, poor-quality or artificial backlinks can trigger penalties from Google.
By combining malware deployment, web shell usage, and strategic backlinking, UAT-8099 is able to manipulate search results and monetize compromised servers effectively, making them a high-risk actor in the SEO fraud landscape.
