<ciso brief/>
Tag Banner

All news with #seo fraud tag

all tags →

Mon, October 6, 2025

Chinese Cybercrime Group Runs Global SEO Fraud Ring

#Cobalt Strike #SEO Fraud #IIS #Secrets Exposure #Backdoor Found

🔍 UAT-8099, a Chinese-speaking cybercrime group, has been linked to a global SEO fraud operation that targets Microsoft IIS servers to manipulate search rankings and harvest high-value data. The actor gains access via vulnerable or misconfigured file upload features, deploys web shells and privilege escalation to enable RDP, then uses Cobalt Strike and a modified BadIIS module to serve malicious content when requests mimic Googlebot. Infections have been observed across India, Thailand, Vietnam, Canada, and Brazil, affecting universities, telecoms and technology firms and focusing on mobile users.

read more →

Fri, October 3, 2025

New Chinese Group Hijacks IIS Servers for SEO Fraud

#IIS #SEO Fraud #Backdoor Found #Arbitrary File Write #Data Leak #MFA

🔍 Cisco Talos warns a Chinese‑speaking threat group tracked as UAT-8099 is actively compromising misconfigured Microsoft IIS servers to run SEO fraud and harvest high-value data. The actors favor high-reputation domains in universities, technology firms, and telecom providers across India, Thailand, Vietnam, Canada and Brazil to reduce detection. They exploit unrestricted file uploads to install web shells, escalate a guest account to admin, enable RDP and deploy the BadIIS SEO malware, then persist with hidden accounts and VPN/backdoor tools. Talos has published indicators and mitigation guidance, including blocking script execution in upload folders, disabling RDP and enabling MFA.

read more →

Thu, October 2, 2025

UAT-8099 Targets High-Value IIS Servers for SEO Fraud

#Threat Report #Cisco #BadIIS #Cobalt Strike #Web Shell #SEO Fraud #IIS #RDP

🔍 Cisco Talos details UAT-8099, a Chinese-speaking cybercrime group that compromises reputable IIS servers to conduct SEO fraud and steal high-value credentials, certificates and configuration files. The actors exploit file-upload weaknesses to deploy ASP.NET web shells, enable RDP, create hidden administrative accounts and install VPN/reverse-proxy tools for persistence. They automate operations with custom scripts, deploy Cobalt Strike via DLL sideloading and install multiple BadIIS variants to manipulate search rankings and redirect mobile users to ads or gambling sites. Talos published IoCs, Snort/ClamAV signatures and mitigation guidance.

read more →

Thu, September 4, 2025

GhostRedirector Hits 65 Windows Servers with IIS Module

#Backdoor #SQL Injection #Privilege Escalation #IIS Malware #SEO Fraud

🔍 Researchers at ESET disclosed a previously undocumented campaign named GhostRedirector that has compromised at least 65 Windows servers mainly in Brazil, Thailand and Vietnam. The intruders deployed a passive C++ backdoor, Rungan, alongside a native IIS module, Gamshen, which selectively alters responses for Googlebot to perform SEO fraud. Initial access appears linked to SQL injection and abuse of xp_cmdshell, with subsequent PowerShell retrievals from a staging host.

read more →