EXECUTIVE SUMMARY:
Operation Rewrite is a large-scale malicious campaign leveraging SEO poisoning techniques to manipulate search engine results and redirect unsuspecting users to harmful destinations. The campaign primarily relies on the deployment of malicious IIS modules, dubbed BadIIS, along with variants implemented as ASP.NET handlers and PHP scripts. These tools enable attackers to dynamically alter server responses based on the visitor type, presenting tailored content to search engine crawlers while delivering redirect instructions to real users. By compromising legitimate websites and embedding this malicious functionality, the actors behind Operation Rewrite ensure that manipulated pages gain high visibility in search rankings, particularly for trending or high-traffic keywords. This allows the attackers to cast a wide net of potential victims who land on poisoned search results. The breadth of infrastructure involved, coupled with the variety of technical methods observed, highlights the sophistication of this campaign, which blends web server exploitation, malware deployment, and social engineering through poisoned search visibility.
At the core of Operation Rewrite’s effectiveness is its technical sophistication in manipulating traffic flow. The BadIIS modules, once installed on compromised servers, identify and distinguish between automated crawlers and human visitors. When a search engine bot accesses the page, the module dynamically injects keyword-stuffed content designed to elevate the ranking of the compromised site for specific queries. However, when a legitimate user clicks on the poisoned search result, the same module seamlessly redirects them to malicious or fraudulent websites, including fake surveys, technical support scams, and other monetization schemes. Researchers observed multiple variants, including ASP.NET and PHP implementations, indicating the attackers’ adaptability to diverse hosting environments. The malware also demonstrates stealth by hiding its operations within legitimate server processes and avoiding easy detection. Command-and-control communication provides attackers with the ability to update redirection rules, rotate infrastructure, and evade takedowns.
Operation Rewrite demonstrates the evolving nature of web-based threats, where attackers combine SEO manipulation, server-side malware, and social engineering into a cohesive campaign. By compromising legitimate sites and tailoring content delivery, the attackers bypass traditional user skepticism associated with suspicious links, since poisoned results often originate from trusted domains. The campaign’s reliance on multiple malware variants and the ability to adapt to different platforms further underscores its persistence and resilience. For organizations, this highlights the importance of server hardening, regular integrity monitoring, and anomaly detection within web environments. For end users, the threat illustrates the growing risks of blindly trusting search engine results, even from seemingly reputable websites. Ultimately, Operation Rewrite serves as a reminder that attackers are continuously innovating at the intersection of visibility and trust—leveraging the very mechanisms designed to guide users toward relevant content to instead funnel them into fraud and malicious activities. Countering such campaigns requires combined vigilance across hosting providers, search engines, and security defenders.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1190 | Exploit Public-Facing Application | – |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Persistence | T1505.004 | Server Software Component | IIS Components |
| Defense Evasion | T1027 | Obfuscated Files or Information | – |
| T1036 | Masquerading | – | |
| Discovery | T1082 | System Information Discovery | – |
| Collection | T1114.002 | Email Collection | Remote Email Collection |
| Command & Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Impact | T1491.002 | Defacement | External Defacement |
| T1565.001 | Data Manipulation | Stored Data Manipulation |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Execution | E1204 | User Execution |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Collection | F0002 | Keylogging |
| E1113 | Screen Capture |
REFERENCES:
The following reports contain further technical details: