A new wave of targeted attacks has emerged against Internet Information Services (IIS) servers across Asia, with threat actors deploying sophisticated malware designed to compromise vulnerable systems. <\/p>\n
The campaign, active from late 2025 through early 2026, focuses primarily on victims in Thailand and Vietnam, marking a strategic shift toward region-specific operations. <\/p>\n
The attackers exploit unpatched IIS servers to inject malicious web shells, execute PowerShell scripts, and deploy the BadIIS malware, which now includes hardcoded regional configurations tailored to specific countries.<\/p>\n
The threat campaign demonstrates operational overlap with the previously documented WEBJACK operation, sharing common indicators such as malware signatures, command and control infrastructure, and targeted victim profiles. <\/p>\n
Attackers leverage web shells as their initial foothold, allowing them to execute commands remotely on compromised servers. <\/p>\n
Following successful infiltration, they deploy PowerShell scripts<\/a> to download and execute the GotoHTTP remote access tool, granting persistent control over infected systems. <\/p>\n This multi-stage infection chain enables threat actors to maintain long-term access while avoiding detection through the use of legitimate administrative tools.<\/p>\n Cisco Talos analysts identified<\/a> the campaign after observing suspicious activity across multiple IIS deployments in South and Southeast Asia. <\/p>\n The researchers noted that BadIIS variants now embed country codes directly into their source code, creating specialized versions for Vietnam (identified by \u201cVN\u201d tags) and Thailand (marked with \u201cTH\u201d designations). <\/p>\n These customized variants include region-specific file extensions, dynamic page configurations, and localized HTML templates that facilitate search engine optimization fraud targeting specific language preferences.<\/p>\n The malware\u2019s evolution reflects a more targeted approach compared to earlier versions. Each BadIIS variant filters web traffic based on the \u201cAccept-Language\u201d header to verify the visitor\u2019s region before delivering malicious payloads. <\/p>\n When search engine crawlers visit infected sites, they are redirected to fraudulent gambling websites, while regular users receive injected JavaScript that silently redirects their browsers to malicious destinations.<\/p>\n After establishing initial access, the threat actors create hidden user accounts to maintain persistent control over compromised servers<\/a>. <\/p>\n The attackers initially used an account named \u201cadmin$\u201d but shifted to alternative names like \u201cmysql$,\u201d \u201cadmin1$,\u201d \u201cadmin2$,\u201d and \u201cpower$\u201d after security products began detecting the original naming pattern.<\/p>\n These accounts are assigned administrative privileges and used to deploy updated versions of BadIIS malware to specific regional directories such as \u201cC:\/Users\/mssql$\/Desktop\/VN\/\u201d for Vietnam-targeted operations and \u201cC:\/Users\/mssql$\/Desktop\/newth\/\u201d for Thailand-focused attacks. <\/p>\n The threat actors also deploy anti-forensic tools including Sharp4RemoveLog to erase Windows event logs<\/a>, CnCrypt Protect to hide malicious files, and OpenArk64 to terminate security processes at the kernel level, ensuring their operations remain undetected for extended periods.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post UAT-8099 Targets Vulnerable IIS Servers Using Web Shells, PowerShell, and Region-Customized BadIIS<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Content](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjQ_s6ELteYdfmObpTcAy9tUbpRxPeaWgTSny3x8SD3m4nk1OhxSikjB9n2OrEHKPC747HqAT8VHfzPM0WgVt1_6WM_nbgD5c4-TbMXFV34tB9Unmv6e_5u1ayhSNNHpmJ_rUxa_Uhf1xIN9LZKxfmgYzuFr-nkLfky3Z6S4Bo9BrHqkWccKHEiQExNnr4\/s16000\/Content%2520for%2520crawlers%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
Persistence Mechanisms and Hidden Account Creation<\/strong><\/h2>\n
![\"BadIIS](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj4hbglsshxoOo4TXsvyvVZ5h9MeGNfVxAPAvMDHg5PqneNlKuh_g6ukSNF6qreKCGtnVq5-8sZpImV2Js-rrRoJqVQfLWIHLY8mUzAfU-jarVIzXKI0FZy5cQJd53FdOh3-ofG7WJnoD-9N39Jb0Ta017nEniGD5nm65wSQHgOry5lSgSybm9YBV8-AXc\/s16000\/BadIIS%2520IISHijack%2520version%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
![\"Extensions](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEivmJSCGjkClp4gkpbrT8UAobcHTV_MzFfJuwNnb3g1DlnHDT58hKVJgWa5nKyf8sJAXn9NiBo12QFg59iMvo6vFVAGvjEOpsvb3DOszmrn73cH3vpeAQkKe2HE9oB-gVGpjxuHDhfKlXl8NwiDgYrqm1pub4rjRFXxi9DiIr8yjqG8zrl5ltRmfpbqoUM\/s16000\/Extensions%2520list%2520for%2520filtering%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")