ACCORDING to Cisco Talos, a China-linked threat actor known as UAT-8099 conducted a campaign against vulnerable IIS servers in Asia from late 2025 into early 2026, with a distinct concentration in Thailand and Vietnam. The group uses web shells and PowerShell to deploy a tool called GotoHTTP, granting remote access to compromised servers and enabling SEO fraud via the BadIIS malware.
UAT-8099 was first documented by the same researchers in October 2025, detailing attacks across India, Thailand, Vietnam, Canada and Brazil to support SEO fraud operations. The latest campaign targets IIS servers in India, Pakistan, Thailand, Vietnam and Japan, but Cisco notes a regional focus on Thailand and Vietnam.
Talos observes continued reliance on web shells, SoftEther VPN and EasyTier, while increasingly employing red team utilities and legitimate tools to evade detection and sustain persistence; three BadIIS variants were identified within the asdSearchEngine cluster, including IISHijack (Vietnam) and asdSearchEngine (Thailand).