Operation Rewrite: How BadIIS Rewired the Web for SEO Poisoning

Operation Rewrite: BadIIS SEO Poisoning Campaign

Summary

Operation Rewrite is a sophisticated SEO poisoning campaign discovered in March 2025, attributed to a Chinese-speaking threat actor cluster (CL-UNK-1037). The campaign weaponizes BadIIS, a malicious IIS module, to hijack legitimate websites and inject keyword-stuffed content. This technique tricks search engines into ranking poisoned pages, which then silently redirect victims to attacker-controlled scam sites.

With a primary focus on East and Southeast Asia, especially Vietnam, this operation demonstrates how attackers can exploit trust in search engines to spread malicious content. BadIIS is capable of JavaScript injection, 404 hijacking, silent redirects, and traffic tunneling, representing a major evolution of web server compromise tactics.

Attack Details

The campaign leverages a multi-pronged infection and propagation chain:

• Initial Access: Web servers are breached via public-facing vulnerabilities, privilege escalation, and lateral movement to additional high-value hosts.

• Persistence Mechanism: Attackers plant web shells, register new IIS modules, and create rogue user accounts.

• Traffic Manipulation:

  • BadIIS intercepts web requests and modifies server responses.

  • Keyword-stuffed HTML is presented to search engine crawlers to manipulate rankings.

  • Real users clicking poisoned links are redirected to malicious destinations.

• Toolset Expansion: Beyond BadIIS, attackers use ASP.NET handlers, .NET IIS modules, and PHP scripts to fabricate XML sitemaps, enabling faster indexing by Googlebot.

• Attribution: Code artifacts (class name chongxiede, meaning “rewrite”), Simplified Chinese comments, and infrastructure overlaps link this campaign to Group 9 with moderate confidence, and to DragonRank with low confidence.

Recommendations

• Patch & Monitor IIS Servers: Regularly update web servers and inspect for unknown DLLs, rogue user accounts, and modified IIS modules.

• Detect SEO Poisoning Attempts: Monitor for suspicious referral traffic or abnormal keyword-driven visit spikes.

• Harden Web Infrastructure: Disable unused modules, restrict IIS module registration, and enforce strong access controls.

• Content Auditing: Frequently inspect web content for hidden keywords, cloaked links, and injected scripts that may only appear to search engines.

• Advanced Endpoint Protection: Deploy NGAV and EDR with behavioral detection to identify server-side implants and malicious web shells.

Indicators of Compromise (IoCs)

SHA256 Hashes (Samples)

• 01a616e25f1ac661a7a9c244fd31736188ceb5fce8c1a5738e807fdbef70fd60

• bc3bba91572379e81919b9e4d2cbe3b0aa658a97af116e2385b99b610c22c08c

• 5aa684e90dd0b85f41383efe89dddb2d43ecbdaf9c1d52c40a2fdf037fb40138

• 82096c2716a4de687b3a09b638e39cc7c12959bf380610d5f8f9ac9cddab64d7

• ed68c5a8c937cd55406c152ae4a2780bf39647f8724029f04e1dce136eb358ea

URLs (Samples)

• hxxp[:]//103[.]6[.]235[.]26/xvn[.]html

• hxxp[:]//x404[.]008php[.]com/zz/u[.]php

• hxxp[:]//103[.]6[.]235[.]78/vn[.]html

• hxxp[:]//cs[.]pyhycy[.]com/index[.]php

• hxxps[:]//fb88s[.]icu/uu/tt[.]js

• hxxp[:]//www[.]massnetworks[.]org

• hxxp[:]//vn404[.]008php[.]com/index[.]php

MITRE ATT&CK TTPs

• Resource Development: T1608 (Stage Capabilities), T1608.006 (SEO Poisoning)

• Initial Access: T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts)

• Execution: T1059 (Command and Scripting Interpreter)

• Persistence: T1505 (Server Software Component), T1505.004 (IIS Components), T1053 (Scheduled Task/Job)

• Defense Evasion: T1036 (Masquerading)

• Exfiltration: T1041 (Exfiltration Over C2 Channel)

• Command & Control: T1071 (Application Layer Protocol)

• Impact: T1204 (User Execution), T1189 (Drive-by Compromise)

References

• Unit42 – Operation Rewrite: SEO Poisoning Campaign

• HivePro – DragonRank: SEO Hackers Manipulating Search Results

• MITRE ATT&CK Techniques