Comprehensive Threat Exposure Management Platform
UAT-8099 is a cybercrime group that compromises vulnerable IIS servers to conduct search engine optimization (SEO) fraud and steal high-value credentials, configuration files, and certificate data. The group exploits weak file upload configurations to deploy web shells and the BadIIS malware, which manipulates search engine rankings by injecting malicious content when Googlebot crawlers visit compromised servers. Active since April 2025, UAT-8099 targets Education, Technology, and Telecommunications sectors across India, Thailand, Vietnam, Canada, Brazil, Pakistan, and Japan, primarily focusing on Microsoft Internet Information Services (IIS) running on Windows Server and Linux platforms.
UAT-8099 targets Microsoft Internet Information Services (IIS) servers with insecure file upload controls. After identifying a vulnerable host, the group uploads ASP.NET web shells to gain entry and perform initial reconnaissance. They exploit weak content management systems and misconfigured upload features to collect system details and map further attack paths within the environment.
After securing access, the attackers enable the guest account, elevate it to administrator privileges, and activate Remote Desktop Protocol (RDP) for persistent control. They create concealed administrator accounts, commonly using names such as admin$ or mysql$, to maintain long-term access. Cobalt Strike beacons are then deployed through DLL sideloading with inetinfo.exe, using a multi-stage loader that ends with a custom reflective loader. To disguise command-and-control traffic, the group relies on SoftEther VPN, EasyTier decentralized VPN, and Fast Reverse Proxy (FRP).
The group installs BadIIS malware on compromised servers, using it for proxying traffic, injecting malicious content, and conducting SEO fraud. In proxy mode, the malware relays traffic to secondary command-and-control servers. In injector mode, it modifies web responses from Google search traffic to insert malicious JavaScript that redirects users to gambling and advertising sites. In SEO fraud mode, it serves keyword-rich pages to search engine crawlers, manipulating search rankings for gambling-related terms.
In parallel, UAT-8099 carries out large-scale data theft. Using RDP, the attackers search for sensitive files such as logs, credentials, configuration data, and certificates with the Everything file search tool. They review the data locally, bundle it into hidden directories, compress it with WinRAR, and exfiltrate it for resale or further abuse.
Immediately review and harden all IIS server file upload settings to restrict allowed file types and prevent unauthorized uploads of executable scripts and web shells.
Configure IIS to prevent execution of uploaded scripts or files by adding a StaticFile handler to upload folders, effectively blocking web shell execution.
Regularly audit user accounts for unauthorized or hidden administrator accounts such as “admin“or”mysql” or “mysql ” that may indicate compromise and persistence by UAT-8099.
Disable Remote Desktop Protocol access from external networks or implement strict network segmentation and multi-factor authentication for remote administrative access.
Conduct regular scans of IIS servers for unauthorized web shells, BadIIS modules, and anomalous files using threat intelligence feeds containing indicators of compromise specific to this campaign.
Monitor for unauthorized certificate issuance or usage, as threat actors specifically target and exfiltrate certificate data for potential resale or impersonation attacks.
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Collection
Command and Control
Impact
Malicious Domains: (40+ domains including)
SHA256 Hashes: 70+ unique malware samples
URLs: Multiple command-and-control callback URLs and malicious script hosting locations
Get through updates and upcoming events, and more directly in your inbox