SEO Fraud Campaign Hits IIS Servers with BadIIS Malware

Cyber Security News by CyberSum.net

Published on October 2, 2025 at 03:00 PM

2 sources

A cybercrime group is targeting vulnerable Internet Information Services (IIS) servers for SEO fraud and data theft. The group, tracked as UAT-8099, uses custom BadIIS malware, web shells, and Cobalt Strike to gain and maintain access. They manipulate search engine results to redirect users to malicious sites and also steal high-value credentials and certificates. The campaign affects organizations like universities and tech companies across multiple regions. Researchers have identified new variants of the BadIIS malware with low detection rates and specific language debug strings.

Also Read

Cavalry Werewolf Targets Public Sector with Malware

A threat actor tracked as Cavalry Werewolf is actively targeting public sector agencies and enterprises in the energy and manufacturing sectors. The group initiates attacks using targeted phishing emails that impersonate government officials to deliver malicious archives. These archives contain custom malware families such as FoalShell and StallionRAT, which provide attackers with remote access and command execution capabilities. StallionRAT notably uses a Telegram bot for its command-and-control infrastructure, allowing operators to exfiltrate data and upload additional tools. Evidence suggests the group is expanding its operations, with artifacts indicating a broader geographic focus.

By Cyber Security News by CyberSum.netOctober 3, 2025 at 03:00 PM