Dissecting UAT-8099: New persistence mechanisms and regional focus

Dissecting UAT-8099: New persistence mechanisms and regional focus blog.talosintelligence.com/uat-8099-… Cisco Talos has identified renewed activity from threat actor UAT-8099 spanning August 2025 through early 2026, targeting compromised Microsoft IIS servers across Asia. Impacted infrastructure has been observed in India, Pakistan, Thailand, Vietnam and Japan, with a notable concentration in Thailand and Vietnam. Talos assesses this campaign overlaps significantly with the previously reported WEBJACK operation, citing high-confidence correlations across malware hashes, command-and-control infrastructure, victim profiles and promoted gambling platforms. Operationally, UAT-8099 continues to rely on web shells, SoftEther VPN and EasyTier to maintain access to compromised IIS servers. However, Talos notes two key shifts: • A move toward more regionally focused black hat SEO campaigns • Increased use of red team frameworks and legitimate administrative tools to evade detection and establish long-term persistence The activity reflects a maturing tradecraft model that blends commodity web exploitation with enterprise-grade persistence techniques, complicating detection and remediation efforts.