ACCORDING to Cisco Talos, a sophisticated cyber campaign targeting Internet Information Services (IIS) servers across Asia has evolved with new, highly customised malware variants, with the threat actor UAT-8099 active from late 2025 through early 2026 and focusing on Thailand, Vietnam and surrounding regions.
Unlike broad-spectrum attacks, UAT-8099 tailors its primary weapon, BadIIS, to fit local environments by hardcoding the target region into the malware and adding exclusive file extensions, corresponding dynamic page extensions, directory indexing configurations and the ability to load HTML templates from local files. The campaign has expanded beyond Windows, with a Linux Executable and Linkable Format (ELF) variant of BadIIS uploaded to VirusTotal on Oct.
1, 2025, offering features such as proxy mode, injector mode and SEO fraud mode. Investigations also connect this activity to the WEBJACK campaign through distinct fingerprints, including malware hashes, C2 and victimology. Victims span India, Pakistan, Thailand, Vietnam and Japan, prompting audits of IIS configurations and monitoring for BadIIS indicators.
The article notes a regional focus and cross‑platform capabilities, underscoring the evolving threat landscape for IIS deployments, as reported on 2 February 2026.