cybersecurity researchers have uncovered a new campaign by a China-linked threat actor targeting vulnerable web servers across Asia. The activity, attributed to a group tracked as UAT-8099, occurred between late 2025 and early 2026, according to a report from Cisco Talos.

The campaign specifically focused on Internet Information Services (IIS) servers, which are widely used to host websites and applications. While servers across Asia were affected, the threat actors showed a particular interest in targets located in Thailand and Vietnam.

Deployment of BadIIS malware

The primary tool used in this campaign is a malicious search engine optimization (SEO) campaign injector known as BadIIS. This malware is designed to compromise web servers and manipulate their content to boost the ranking of specific, often fraudulent, websites in search engine results.

By injecting spammy links and content into legitimate, compromised websites, the attackers aim to redirect user traffic for financial gain or to spread further malware. The scale of this specific campaign is currently being assessed by security analysts.

Technical Execution and Impact

The attackers exploited vulnerabilities in IIS servers to gain initial access. Once inside, they deployed the BadIIS payload to modify web pages and server configurations. This type of attack can severely damage the reputation of the affected websites and erode user trust, as visitors may encounter unexpected or malicious content.

For the organizations running the compromised servers, the incident can lead to operational disruption, data integrity issues, and significant remediation costs. The focus on regional targets suggests the actors may have been seeking specific economic or intelligence advantages within the Southeast Asian digital landscape.

Attribution and Historical Context

The threat actor, UAT-8099, has been linked by researchers to previous cyber operations originating from China. Such groups often engage in espionage, intellectual property theft, or financially motivated attacks.

The use of SEO poisoning techniques, as seen with BadIIS, represents a shift for such actors, blending traditional server attacks with digital marketing manipulation. This approach allows them to monetize access or influence public information streams indirectly.

Security Recommendations and Response

Cisco Talos and other security firms recommend that organizations, especially those using IIS servers in the affected regions, apply all relevant security patches promptly. Regular security audits, monitoring for unauthorized file changes, and implementing web application firewalls are considered essential defensive measures.

Network administrators have been advised to scan for signs of the BadIIS malware, which often creates specific backdoor files and modifies web directory permissions. Sharing indicators of compromise with the broader security community can help track and mitigate the campaign’s spread.

Looking ahead, cybersecurity analysts expect UAT-8099 and similar groups to continue refining their techniques. The integration of SEO manipulation with server attacks may become more common, requiring defenders to adopt more holistic security postures that protect both infrastructure and content integrity. Further disclosures from security vendors regarding the campaign’s full scope are anticipated in the coming weeks.

Source: Cisco Talos