""UAT-8099 uses web shells and PowerShell to execute scripts and deploy the GotoHTTP tool, granting the threat actor remote access to vulnerable IIS servers," security researcher Joey Chen said in a Thursday breakdown of the campaign. UAT-8099 was first documented by the cybersecurity company in October 2025, detailing the threat actor's exploitation of IIS servers in India, Thailand, Vietnam, Canada, and Brazil to facilitate search engine optimization (SEO) fraud. The attacks involve infecting the servers with a known malware referred to as BadIIS."
""While the threat actor continues to rely on web shells, SoftEther VPN, and EasyTier to control compromised IIS servers, their operational strategy has evolved significantly," Talos explained. "First, this latest campaign marks a shift in their black hat SEO tactics toward a more specific regional focus. Second, the actor increasingly leverages red team utilities and legitimate tools to evade detection and maintain long-term persistence.""
Between late 2025 and early 2026, a campaign attributed to UAT-8099 targeted vulnerable Internet Information Services (IIS) servers across Asia, with a concentration in Thailand and Vietnam. The actor used web shells and PowerShell to execute scripts and deployed the GotoHTTP tool to obtain remote access. The group infected servers with BadIIS and previously exploited IIS servers in India, Thailand, Vietnam, Canada, and Brazil to facilitate search engine optimization fraud. The cluster is assessed as China-linked and shows overlaps with the WEBJACK campaign in tools, command-and-control infrastructure, and victimology. The actor increasingly uses red-team utilities and legitimate tools like SoftEther VPN and EasyTier to evade detection and maintain persistence.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]