UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud blog.talosintelligence.com/uat-8099-…

In April 2025, Cisco Talos identified a Chinese-speaking cybercrime group, tracked as UAT-8099, which targets a broad range of vulnerable IIS servers across specific regions. This group focuses on high-value IIS servers that have a good reputation within these areas to manipulate search engine results for financial gain.

UAT-8099 operates as a cybercrime group conducting SEO fraud. Additionally, UAT-8099 uses Remote Desktop Protocol (RDP) to access IIS servers and search for valuable data such as logs, credentials, configuration files and sensitive certificates, which they package for possible resale or further exploitation.

Upon discovering a vulnerability in a target server, the group uploads a web shell to collect system information and conduct reconnaissance on the host network. They then enable the guest account, escalate its privileges to administrator level, and use this account to enable RDP. For persistence, they combine RDP access with SoftEther VPN, EasyTier (a decentralized virtual private network tool) and FRP reverse proxy tool. Subsequently, the group performs further privilege escalation using shared tools to gain system-level permissions and install BadIIS malware. To secure their foothold, they deploy defense mechanisms to prevent other threat actors from compromising the same server or disrupting their setup.

This blog post provides a comprehensive overview of the campaign’s victimology, including the regions affected and the potential consequences of BadIIS infections. It also details the attack chain, automation scripts employed, and the malware and shared hacking tools UAT-8099 commonly uses.