URGENT THREAT ALERT • IIS Servers

      ALERT: Chinese Hackers (UAT-8099) Are Hijacking University & Gov’t IIS Servers with #BadIIS Malware!    

By CyberDudeBivash • October 04, 2025 • Threat Intelligence Report

 cyberdudebivash.com |       cyberbivash.blogspot.com 

Share on XShare on LinkedIn

Disclosure: This is a technical threat intelligence report for web administrators and security professionals. It contains affiliate links to relevant enterprise security solutions. Your support helps fund our independent research.

 Threat Report: Table of Contents 

1. Chapter 1: The Threat — Your Website’s Reputation is Being Hijacked
2. Chapter 2: Malware Analysis — The ‘BadIIS’ Native Module
3. Chapter 3: The Kill Chain — From Compromise to SEO Poisoning
4. Chapter 4: The Defender’s Playbook — How to Find and Remove BadIIS

Chapter 1: The Threat — Your Website’s Reputation is Being Hijacked

A new campaign by a Chinese-nexus group we track as **UAT-8099** is compromising a valuable and often overlooked asset: your website’s search engine reputation. The attackers are targeting high-authority Microsoft IIS web servers, particularly those at universities (.edu) and government agencies (.gov), and installing a stealthy backdoor we’re calling **#BadIIS**. This malware doesn’t deface your site or steal your data. Instead, it works as a silent parasite, using your trusted domain to boost the search engine rankings of illegal online gambling and casino websites. Your legitimate, trusted website is being turned into a covert billboard for organized crime, and your brand reputation is at serious risk.

---

Chapter 2: Malware Analysis — The ‘BadIIS’ Native Module

BadIIS is a malicious native IIS module (`.dll`) that attackers install on a compromised server. It is a sophisticated, server-side Trojan that uses a technique called **cloaking** to remain invisible to you and your legitimate visitors.

How it Works:

The module hooks into the IIS request pipeline and inspects the `User-Agent` string of every visitor to your website.

• If the User-Agent is a Search Engine Crawler** (like Googlebot or Bingbot), BadIIS intercepts the request. Instead of serving your normal webpage, it serves a completely different page that is filled with thousands of spammy keywords and links related to online gambling.
• If the User-Agent is a Normal User’s Browser** (like Chrome or Firefox), BadIIS does nothing. It passes the request on to your legitimate website, and the user sees your normal content.

This cloaking technique means that you, the site owner, will never see the spammy content by just browsing your own site. The attack is only visible to search engines, making it incredibly difficult to detect without specific checks.

---

Chapter 3: The Kill Chain — From Compromise to SEO Poisoning

1. **Initial Access:** The UAT-8099 group gains administrative access to an IIS server, most likely by exploiting an unpatched vulnerability in the OS or an application, or by brute-forcing a weak RDP password.
2. **Malware Deployment:** The attacker uses their admin privileges to install the `BadIIS.dll` file and then uses the legitimate `appcmd.exe` tool to register it as a native module in the `applicationHost.config` file. This is a similar technique to the **SessionHunter malware**.
3. **SEO Poisoning:** The BadIIS module begins serving spammy content to search engine bots. Over time, Google and Bing start to index the trusted `.edu` or `.gov` domain for hundreds of illicit gambling keywords.
4. **Malicious Redirection:** A user searches for one of the gambling keywords. Your legitimate university site now appears on the first page of the search results. The user clicks it. The BadIIS module detects that the `Referer` is from a search engine and immediately performs a 302 redirect, sending the unsuspecting user to the illegal gambling site.
5. **Monetization:** The attackers earn affiliate commissions for every user they successfully redirect to the gambling platform.

---

Chapter 4: The Defender’s Playbook — How to Find and Remove BadIIS

You must actively hunt for this threat on your IIS servers.

Step 1: Hunt for the Malicious Module

Open a command prompt as Administrator on your IIS server and run this command:`%windir%\system32\inetsrv\appcmd.exe list modules`

Carefully review the list of all installed native modules. Compare it against a known-good baseline. Look for any DLLs that are not part of a standard Microsoft installation or a known application. Any unfamiliar or unsigned DLL is a critical red flag.

Step 2: Check Your Search Engine Index

Use Google and Bing’s advanced search operators to see what the crawlers are seeing. Go to the search engine and type:`site:yourdomain.edu`

Review the results. Are there any pages indexed with titles or snippets related to gambling, casinos, or other illicit topics? If so, you have been compromised.

Step 3: Analyze Behavior with EDR

The ultimate defense is a powerful **EDR solution**. While BadIIS is stealthy, the initial compromise that allowed it to be installed may have left traces. Hunt for suspicious PowerShell commands, unusual RDP logins, and any anomalous behavior from the IIS worker process (`w3wp.exe`).

 Endpoint Defense is Critical: A modern EDR is essential for detecting the initial breach and the post-exploitation activity. **Kaspersky Endpoint Security for Windows Server** provides the behavioral analysis and threat hunting capabilities needed to unmask these stealthy attacks.  

Get Daily Threat Intelligence

Subscribe for real-time alerts, malware analysis, and strategic insights.         Subscribe  

About the Author

CyberDudeBivash is a cybersecurity strategist with 15+ years in web security, incident response, and malware analysis, advising CISOs across APAC. [Last Updated: October 04, 2025]

  #CyberDudeBivash #BadIIS #Malware #IIS #SEO #CyberSecurity #ThreatIntel #InfoSec #ThreatHunting #EDR