Chinese Cybercrime Group Runs New Wave Attacks
Cybersecurity experts recently exposed a Chinese-speaking cybercrime group called UAT-8099. The group engages in large-scale SEO fraud and data theft targeting Microsoft IIS servers. Most attacks have been reported in India, Thailand, Vietnam, Canada, and Brazil. The hackers mainly focus on universities, telecom firms, and technology companies.
UAT-8099 was first discovered in April 2025, and the group mainly targets mobile users on both Android and iPhone devices.
How the Attack Works
According to researchers, UAT-8099 manipulates search rankings by exploiting high-value IIS servers. They use web shells, open-source tools, and BadIIS malware to gain control.
The hackers automate their attacks to evade security systems and hide their activity. Once a weak IIS server is found, they upload malicious files to gather system information and user data. Then, they escalate privileges to full administrator access and enable Remote Desktop Protocol (RDP) for deeper control.
Maintaining Access and Avoiding Detection
The group also blocks other hackers from entering compromised servers. They deploy Cobalt Strike, a popular backdoor tool, to maintain access.
To stay connected, UAT-8099 combines RDP with VPN tools like SoftEther and FRP. This setup helps them remain unnoticed for long periods.
The attack ends with the installation of BadIIS malware, also used by other cybercrime groups. This version of BadIIS can bypass antivirus software through code changes.
Purpose Behind the Attacks
BadIIS operates in three main modes: proxy, injector, and SEO fraud. In proxy mode, it retrieves hidden commands from remote servers. In injector mode, it modifies web pages from Google results to redirect users to fake ads or illegal sites.
Finally, in SEO fraud mode, it manipulates search rankings by creating artificial backlinks. These backlinks make certain websites appear more trustworthy to search engines. However, experts warn that this technique can trigger Google penalties if the backlinks are low-quality or spammy.
Global Impact and Risks
The full scale of the attack remains unclear. However, experts believe hundreds of IIS servers may already be compromised. These attacks threaten not only business reputation but also user data privacy and search engine integrity.
Therefore, organizations must strengthen their cybersecurity posture immediately.
How to Prevent SEO Fraud Attacks
Businesses can protect themselves by regularly patching IIS servers, using strong authentication, and monitoring web activity for unusual patterns.
Advanced cybersecurity services can also help detect SEO manipulation and unauthorized access early. Using automated threat detection and real-time security monitoring tools can significantly reduce risk and ensure long-term protection.
Sleep well, we got you covered.
