Skip to main content
Mallory
Back to threat actors
🇨🇳 CN2 malware families

DragonRank

Also known asDragonRank

DragonRank is a threat cluster associated with malicious activity targeting Microsoft IIS web servers. Reporting cited in the content places it among China-linked or Chinese-speaking clusters that have singled out IIS servers, and Talos notes that BadIIS malware has been used by multiple Chinese-speaking threat clusters including DragonRank. The group is associated with BadIIS-style operations that turn compromised IIS servers into assets for search engine manipulation and SEO fraud. The content also notes that DragonRank reporting includes PlugX. Public reporting referenced here distinguishes DragonRank from other IIS-focused clusters such as UAT-8099/WEBJACK, Operation Rewrite (CL-UNK-1037), GhostRedirector, and OP-512: DragonRank is described as adjacent or similar in tradecraft, but not identical based on currently published evidence, and a low-confidence connection to CL-UNK-1037 is noted due to similarity without infrastructure overlap. No additional confirmed aliases or sub-groups are provided in the content beyond the name DragonRank.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics6 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0002
Execution
1 technique
T1574
Hijack Execution Flow
T1574.001
DLL
TA0005
Stealth
1 technique
T1574
Hijack Execution Flow
T1574.001
DLL
TA0011
Command and Control
2 techniques
T1090
Proxy
T1102
Web Service
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
BADIISCisco Talos has uncovered a BadIIS variant — identifiable by its embedded "demo.pdb" strings — that functions as commodity malware.3May 19, 2026
PlugX"DragonRank ... uses BadIIS and also PlugX"1Mar 8, 2026
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
the hacker newsNews
Jun 5, 2026
New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework

China-aligned threat group observed targeting IIS web servers.

Read more
talos intelligence blogNews
May 19, 2026
From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat

Cybercrime group using BadIIS variants to compromise web servers for search engine manipulation and SEO fraud.

Read more
alphahunt blogNews
Feb 10, 2026
[DEEP RESEARCH] BadIIS Isn’t Enough: The IIS Module + HTTP Fingerprints That Catch SEO-Fraud Cloaking

Distinct but related IIS SEO-manipulation cluster in the BadIIS ecosystem; differentiated in reporting by inclusion of PlugX and other campaign-specific artifacts and patterns; sometimes discussed as a service-provider-like operation around SEO manipulation.

Read more
the hacker newsNews
Oct 6, 2025
Chinese Cybercrime Group Runs Global SEO Fraud Ring Using Compromised IIS Servers

Chinese-speaking threat cluster associated (in this reporting) with use of BadIIS malware for IIS-based SEO fraud/traffic manipulation.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.