Cisco Talos has identified a sophisticated campaign by threat actor UAT-8099 targeting Internet Information Services (IIS) servers across Thailand, Vietnam, and neighboring Asian countries with new region-tailored variants of the BadIIS malware active from late 2025 through early 2026. The group added built-in region-locking, customized file and page behaviors, and a fully featured Linux ELF variant with proxy, injector, and SEO-fraud modes, and researchers link the activity to the WEBJACK campaign while noting use of web shells, PowerShell, and the GotoHTTP remote access tool. #BadIIS #UAT-8099 #IIS #WEBJACK #GotoHTTP
Keypoints
- UAT-8099 is specifically targeting IIS servers in Thailand, Vietnam, and nearby Asian regions.
- New BadIIS variants hardcode target regions and include region-locking capabilities.
- The malware uses customized file extensions, dynamic page behaviors, and local HTML templates to blend with legitimate traffic.
- A Linux ELF variant of BadIIS adds proxy mode, injector mode, and SEO-fraud mode, broadening the attack surface.
- Talos links this activity to the WEBJACK campaign and observed use of web shells, PowerShell, and the GotoHTTP remote access tool.
Read More: https://securityonline.info/iis-under-siege-uat-8099-deploys-region-locked-badiis-linux-variants/