EXECUTIVE SUMMARY:
A cyber threat actor is actively targeting vulnerable Internet Information Services (IIS) servers across multiple regions in Asia, with concentration in Thailand and Vietnam. This campaign leverages remote access techniques and tailored malware to maintain persistence on compromised hosts, manipulate web traffic, and abuse search engine indexing for fraudulent purposes. The activity shows overlap with previous server-targeted fraud operations and highlights a calculated shift toward more region-specific exploitation.
The threat actor gains initial footholds on IIS servers by deploying web shells and executing PowerShell scripts to establish remote access via tools such as GotoHTTP. Persistence is maintained through the creation of hidden user accounts with evolving naming schemes when initial account names are detected and blocked. The actor also employs a range of utilitieslike event log cleaners, file-protection tools abused for DLL redirection, and anti-rootkit software to both obscure its activity and disable security products. Multiple variants of customized BadIIS malware are installed, with new versions explicitly embedding regional identifiers and tailored behaviors such as exclusive file extension handling, custom directory indexing, and HTML template loading to support search engine optimization fraud. Additionally, a Linux (ELF) variant of BadIIS has been identified exhibiting proxy, injector, and SEO fraud modes with hardcoded command-and-control endpoints consistent with prior samples.
This campaign represents a strategic evolution in web server exploitation: combining long-term persistence with regional customization and advanced traffic manipulation. Operators behind this activity are refining techniques to evade detection, sustain access, and maximize fraudulent gains through SEO poisoning and redirection. Organizations running IIS servers especially those with internet-facing assets in identified regions should review their security posture, disable unrestricted file upload features, enforce strong access controls, and deploy comprehensive monitoring to detect unauthorized persistence mechanisms and malicious request activity.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | - |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1505.004 | Server Software Component | IIS Components |
| T1136.001 | Create Account | Local Account | |
| Defense Evasion | T1070.001 | Indicator Removal | Clear Windows Event Logs |
| T1027.002 | Obfuscated Files or Information | Software Packing | |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Discovery | T1082 | System Information Discovery | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | - | |
| Impact | T1565.002 | Data Manipulation | Transmitted Data Manipulation |
REFERENCES:
The following reports contain further technical details: