UAT8099 alert against IS the campaign that combines intrusion with legitimate tools to master servers and manipulate SEO

Security researchers have detected a new wave of intrusions directed at Microsoft Internet Information Services (IIS) servers that, according to the Cisco Talos tracking, was active between late 2025 and early 2026. The actor following these operations, labelled as UAT-8099 and with alleged connections to China, has concentrated his efforts in Asia, with a remarkable presence in Thailand and Vietnam, although evidence points to activity also in India, Pakistan and Japan. It is a campaign that combines traditional access techniques with legitimate tools and "team network" utilities to extend permanence and avoid detection. For a detailed technical analysis, see the Cisco Talos report on your official blog: blog.talosintelligence.com.

The main tactic is to compromise IS by taking advantage of security failures or weak configurations in mechanisms such as file uploading. Once inside, attackers perform reconnaissance tasks to map the system and deploy a set of tools that allow them to both control the server and hide its activity. The observed utilities include web shells, PowerShell commands, VPNs such as SoftEther and remote access tools such as GotoHTTP, which is activated by a Visual Basic script downloaded by PowerShell after installing the web shell. The use of legitimate components and pentesting utilities makes it difficult to discern between administrative and malicious activity.

To strengthen control, hidden accounts are created on servers, using names that try to pass unnoticed - for example "admin $" and, if that name is blocked by security solutions, another called "myshql $" - and multiple additional accounts have been detected for the same purpose. The actor also drops tools designed to remove or manipulate security records and processes, such as utility variants to delete Windows events, encryption and hide files, and an open source anti-rootkit that seeks to disable protection products. With these components, in addition to the use of malware known as BadIIS, UAT-8099 pursues a clear goal: to exploit the web infrastructure for SEO fraud operations and prolonged remote control.

BadIS is not unique or static: Cisco Talos has documented new variants specifically adapted to specific regions. One is mainly targeted at victims in Vietnam, while another is designed for targets in Thailand or for responses to users whose language preference is Thai. This illustrates an additional sophistication in the offensive, where malware differentiates between visitors who are search engines (crawlers) and real users. When it detects that the request comes from a search engine, it redirects the crawler to pages intended to manipulate the positioning; if the request belongs to a user with a preference of Thai language, it injects a malicious script that causes redirections in the response. On the use of the Accept-Language header and why it matters in this context, the technical documentation can be consulted in MDN: evooper.mozilla.org.

The BadIS family includes different modes of operation to maintain effectiveness and discretion. Some variants avoid processing routes that contain problematic extensions to not overload the server or generate errors that call attention; others incorporate systems to generate dynamic HTML content from templates, filling markers with random data or URL derivatives; and there are versions that only attack dynamic pages relevant to SEO, such as index.php or default.aspx, as they are the places where the injection of links and scripts is most cost-effective to handle search results. With this segmentation, attackers maximize the impact on search engines and minimize the footprint that leaves their code on the server's login.

In addition to the Windows variant, there are signs that UAT-8099 is developing and tuning an edition for Linux. An ELF binary uploaded to VirusTotal in October 2025 contained modules that replicate proxy and injection behavior and in this version restrict the focus to concrete search engine crawlers: Google, Microsoft Bing and Yahoo. The VirusTotal file and other intelligence tools help to chart the activity and compare command and control infrastructures; for those who want to explore these tools, the VirusTotal blog offers useful resources: blog.virustotal.com.

This actor also does not operate completely isolated: there are overlaps in tools, infrastructure and objectives with another campaign called WEBJACK, analyzed months ago by the firm WithSecure. Although each research uses its own labels, coincidences suggest shared tactics and technologies or re-employed in separate campaigns. Details of this comparison can be found on the research channels and security blogs, including the WithSecure analysis page: withsequre.com.

For administrators and website managers, the lesson is clear: these attacks show that modern threats mix technical exploitation with engineering to monetize access. Efficient prevention requires not only applying patches and hardening IIS, but monitoring anomalies in user accounts, outgoing traffic and the presence of unusual files and processes. Microsoft maintains documentation and safety guides on IS that serve as a starting point for mitigating operating vectors: learn.microsoft.com. In addition, measures such as restricting file upload functionality, validating and sanitizing entries, limiting privileges, segmenting the network and deploying PowerShell web shells and telemetry detection can reduce the attack surface.

On the broader level, the campaign reflects a trend that analysts had been watching: the recycling of public tools and legitimate profits for criminal purposes, making it more difficult to distinguish between administration and abuse. It also highlights the crime economy in the network: manipulating search results and redirecting traffic can become a sustained source of income for attackers without direct extortion. Understanding that economy is key to designing defenses that not only close technical vulnerabilities but make it difficult to monetize access when intrusion has already occurred.

Those who manage web platforms should be kept informed through the publications of incident response teams and intelligence providers. The technical summary of Cisco Talos on UAT-8099 is a good starting point for understanding the evolution of the campaign and the indicators to take into account: read Talos' report. Maintaining maintenance practices, frequently reviewing login and having up-to-date incident response capabilities are measures that can make a difference to this type of threat.