Operation Rewrite: How BadIIS Rewired the Web for SEO Poisoning

Amber | Attack Report

Operation Rewrite: BadIIS SEO Poisoning Campaign

Summary

Operation Rewrite is a sophisticated SEO poisoning campaign discovered in March 2025, attributed to a Chinese-speaking threat actor cluster (CL-UNK-1037). The campaign weaponizes BadIIS, a malicious IIS module, to hijack legitimate websites and inject keyword-stuffed content. This technique tricks search engines into ranking poisoned pages, which then silently redirect victims to attacker-controlled scam sites.

With a primary focus on East and Southeast Asia, especially Vietnam, this operation demonstrates how attackers can exploit trust in search engines to spread malicious content. BadIIS is capable of JavaScript injection, 404 hijacking, silent redirects, and traffic tunneling, representing a major evolution of web server compromise tactics.

Attack Details

The campaign leverages a multi-pronged infection and propagation chain:

Initial Access: Web servers are breached via public-facing vulnerabilities, privilege escalation, and lateral movement to additional high-value hosts.
Persistence Mechanism: Attackers plant web shells, register new IIS modules, and create rogue user accounts.
Traffic Manipulation:
- BadIIS intercepts web requests and modifies server responses.
- Keyword-stuffed HTML is presented to search engine crawlers to manipulate rankings.
- Real users clicking poisoned links are redirected to malicious destinations.
Toolset Expansion: Beyond BadIIS, attackers use ASP.NET handlers, .NET IIS modules, and PHP scripts to fabricate XML sitemaps, enabling faster indexing by Googlebot.
Attribution: Code artifacts (class name chongxiede, meaning “rewrite”), Simplified Chinese comments, and infrastructure overlaps link this campaign to Group 9 with moderate confidence, and to DragonRank with low confidence.

Recommendations

Patch & Monitor IIS Servers: Regularly update web servers and inspect for unknown DLLs, rogue user accounts, and modified IIS modules.
Detect SEO Poisoning Attempts: Monitor for suspicious referral traffic or abnormal keyword-driven visit spikes.
Harden Web Infrastructure: Disable unused modules, restrict IIS module registration, and enforce strong access controls.
Content Auditing: Frequently inspect web content for hidden keywords, cloaked links, and injected scripts that may only appear to search engines.
Advanced Endpoint Protection: Deploy NGAV and EDR with behavioral detection to identify server-side implants and malicious web shells.

Indicators of Compromise (IoCs)

SHA256 Hashes (Samples)

01a616e25f1ac661a7a9c244fd31736188ceb5fce8c1a5738e807fdbef70fd60
bc3bba91572379e81919b9e4d2cbe3b0aa658a97af116e2385b99b610c22c08c
5aa684e90dd0b85f41383efe89dddb2d43ecbdaf9c1d52c40a2fdf037fb40138
82096c2716a4de687b3a09b638e39cc7c12959bf380610d5f8f9ac9cddab64d7
ed68c5a8c937cd55406c152ae4a2780bf39647f8724029f04e1dce136eb358ea

URLs (Samples)

hxxp[:]//103[.]6[.]235[.]26/xvn[.]html
hxxp[:]//x404[.]008php[.]com/zz/u[.]php
hxxp[:]//103[.]6[.]235[.]78/vn[.]html
hxxp[:]//cs[.]pyhycy[.]com/index[.]php
hxxps[:]//fb88s[.]icu/uu/tt[.]js
hxxp[:]//www[.]massnetworks[.]org
hxxp[:]//vn404[.]008php[.]com/index[.]php

MITRE ATT&CK TTPs

Resource Development: T1608 (Stage Capabilities), T1608.006 (SEO Poisoning)
Initial Access: T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts)
Execution: T1059 (Command and Scripting Interpreter)
Persistence: T1505 (Server Software Component), T1505.004 (IIS Components), T1053 (Scheduled Task/Job)
Defense Evasion: T1036 (Masquerading)
Exfiltration: T1041 (Exfiltration Over C2 Channel)
Command & Control: T1071 (Application Layer Protocol)
Impact: T1204 (User Execution), T1189 (Drive-by Compromise)

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox