"Cybersecurity researchers have shed light on a Chinese-speaking cybercrime group codenamed UAT-8099 that has been attributed to search engine optimization (SEO) fraud and theft of high-value credentials, configuration files, and certificate data. The attacks are designed to target Microsoft Internet Information Services (IIS) servers, with most of the infections reported in India, Thailand, Vietnam, Canada, and Brazil, spanning universities, tech firms, and telecom providers. The group was first discovered in April 2025. The targets are primarily mobile users, encompassing both Android and Apple iPhone devices."
"Once a vulnerable IIS server is found - either via security vulnerability or weak settings in the web server's file upload feature - the threat actor uses the foothold to upload web shells to conduct reconnaissance and gather basic system information. The financially motivated hacking group subsequently enables the guest account to escalate their privileges, all the way to the administrator, and use it to enable Remote Desktop Protocol (RDP)."
UAT-8099 is a Chinese-speaking cybercrime group linked to SEO fraud and theft of high-value credentials, configuration files, and certificate data. The group targets Microsoft Internet Information Services (IIS) servers, with infections concentrated in India, Thailand, Vietnam, Canada, and Brazil across universities, tech firms, and telecom providers. Primary targets include mobile users on Android and iPhone devices. Compromise methods include exploiting server vulnerabilities or weak file upload settings to deploy web shells for reconnaissance. Operators escalate privileges by enabling guest accounts and moving to administrator access to enable RDP, then maintain persistence and block other actors using automation, Cobalt Strike, and BadIIS tools.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]