BADIIS

BadIIS is malware targeting Microsoft Internet Information Services (IIS) web servers. It is deployed as a malicious IIS module/native module that loads into the IIS worker process and intercepts HTTP traffic, allowing operators to silently redirect visitors from legitimate websites to illegal gambling, adult-content, and other illicit destinations while the site can appear normal to administrators and regular users. Reported functionality includes traffic redirection, reverse proxying for search-engine crawler manipulation, content hijacking, and backlink injection to support SEO fraud. Multiple reports describe split-view behavior in which search-engine crawlers receive keyword-stuffed or attacker-controlled content while normal users or administrators receive clean content; some variants also gate behavior on Referer, User-Agent, browser language, or Accept-Language values.

Cisco Talos assessed a prominent BadIIS variant, identifiable in part by embedded "demo.pdb" strings, as likely sold or shared among multiple Chinese-speaking cybercrime groups under a malware-as-a-service model. Talos linked sustained development from at least September 2021 through January 2026 to an author alias "lwxat" based on PDB strings and related tooling. Talos reported a builder that generates customized payloads, configuration files, JavaScript redirectors, and PHP backlink scripts, with support for traffic redirection, reverse proxying, content hijacking, and internal/external backlink injection. Recovered builds indicated customer-specific customization, including variants for Norton bypass, robots.txt hijacking, browser-language-based redirection, and a likely client-specific build for "x神"/"xshen." Related installers, droppers, and persistence tools copy payloads into IIS resource paths, register malicious modules, impersonate legitimate services or processes such as svchost.exe, FaxService, AudiosService, or a fake "Winlogin" service, and restore removed modules from hidden backups including C:\Windows\Logs after reboot. Talos also reported custom Base64 encoding, single-byte XOR obfuscation of C2 addresses, the user-agent string "lwxatisme," and artifacts including config.txt and module.txt. Published detections included ClamAV names such as Win.Malware.BadIIS-10069981-0, Win.Malware.BadIIS-10069988-0, Win.Malware.BadIIS-10069984-0, and Win.Malware.BadIIS-10069985-0, as well as Snort SIDs including 66400, 66439, 66438, 66399, 66398, 301498-1, and 301491.

Elastic Security Labs reported large-scale global SEO-poisoning campaigns involving BADIIS on more than 1,800 Windows IIS servers, with victims including government, corporate, educational, and financial organizations and a strong concentration in the Asia-Pacific region. Elastic linked observed activity to a Chinese-speaking cybercrime group it tracks as REF4033 and said it aligns with Cisco Talos reporting on UAT-8099. In a November 2025 intrusion at a multinational organization in Southeast Asia, Elastic observed deployment of BADIIS onto a Windows IIS server after post-compromise activity under w3wp.exe, creation of a local administrator account, and installation of a stealthy Windows service named WalletServiceInfo loading an unsigned ServiceDLL at C:\ProgramData\Microsoft\Windows\Ringtones\CbsMsgApi.dll. Elastic reported direct syscalls from the loaded module, staging of malicious files masquerading under C:\Windows\System32\drivers\ as WUDFPfprot.sys, WppRecorderpo.sys, and WppRecorderrt.sys, and modification of IIS configuration such as DefaultAppPool.config to load attacker modules including WsmRes64. Elastic also reported encrypted configuration URLs using SM4 ECB with key "1111111122222222" in newer samples and AES-128 ECB in older ones, plus infrastructure including gotz003[.]com, jbtz003[.]com, gotz001[.]com, and jbtz001[.]com, and analytics identifiers G-2FK43E86ZM, G-R0KHSLRZ7N, and Baidu Tongji ID B59ff1638e92ab1127b7bc76c7922245.

BadIIS has also been associated with Chinese-speaking cybercrime activity tracked as UAT-8099 and with overlap to WEBJACK. Reporting describes use of web shells, PowerShell, GotoHTTP, SoftEther VPN, EasyTier, OpenArk64, Sharp4RemoveLog, and CnCrypt Protect in IIS-server intrusions that culminate in BadIIS deployment for SEO fraud and gambling redirects. Talos reported region-specific BadIIS variants such as BadIIS IISHijack and BadIIS asdSearchEngine, including targeting focused on Vietnam and Thailand and XOR-obfuscated configuration or injected HTML using key 0x7A. Observed artifacts and pivots in related reporting include module names such as fashttp.dll, fasthttp.dll, cgihttp.dll, iis32, and iis64; hidden local accounts such as admin$, mysql$, admin1$, admin2$, and power$; and domains such as ashx.lhlsjcb[.]com in adjacent IIS-focused activity. Overall, the malware is used to monetize compromised IIS infrastructure through SEO poisoning, crawler manipulation, backlink injection, and selective redirection to gambling, adult, and fraudulent cryptocurrency destinations.