REF4033

REF4033 is a Chinese-speaking cybercrime group associated with a large-scale SEO poisoning campaign targeting Windows IIS web servers. Elastic Security Labs reported the group compromised more than 1,800 Windows web servers worldwide, with a strong concentration in APAC, particularly China and Vietnam. Reported victims include government, corporate, and educational organizations across multiple countries, and government/public administration entities were specifically identified among impacted sectors. The group deploys a malicious IIS native module called BADIIS after compromising IIS servers. Elastic observed one November 2025 intrusion at a multinational organization in Southeast Asia in which the actor moved from initial access to IIS module deployment in under 17 minutes. Observed post-compromise activity included use of a webshell under w3wp.exe, creation of a new local administrator account, installation of a stealthy Windows service named WalletServiceInfo, loading of an unsigned ServiceDLL at C:\ProgramData\Microsoft\Windows\Ringtones\CbsMsgApi.dll, and use of D-Shield Firewall (D_Safe_Manage.exe) to harden access and impose network restrictions. BADIIS modifies IIS configuration, including DefaultAppPool, to load attacker-controlled modules such as WsmRes64 into the request pipeline. Elastic reported staged files masquerading under C:\Windows\System32\drivers, including WUDFPfprot.sys, WppRecorderpo.sys, and WppRecorderrt.sys, with the latter two corresponding to 32-bit and 64-bit BADIIS modules. The malware conditionally injects content or redirects traffic based on User-Agent and Referer values, including checks for search engines and crawlers such as Google, Bing, Naver, and Daum, with optional mobile-only targeting and subnet-based filtering. The campaign uses a two-phase monetization model: serving keyword-stuffed HTML content to search engine crawlers to manipulate rankings, then redirecting real users to illicit destinations. Reported destinations include online gambling, pornography, cryptocurrency fraud, and cryptocurrency phishing, including a fraudulent Upbit clone. Configuration URLs are stored encrypted, with newer samples using SM4 ECB with key 1111111122222222 and older samples using AES-128 ECB. Those URLs point to resources that define subnet filters, redirection targets, backlink payloads, and SEO content generation. Elastic also reported use of Google Analytics and Baidu Tongji tags in landing pages to track redirections. Elastic stated the activity is consistent with prior reporting by Cisco Talos and Trend Micro, and specifically aligned it with Cisco Talos tracking under UAT-8099. Known alias from the provided content is REF4033; related tracking name mentioned in reporting is UAT-8099.