Hackers Hijacking IIS Servers Using Malicious BadIIS Module to Serve Malicious Content
Leveraging a native IIS module named BadIIS, attackers manipulated search engine crawler traffic to poison search results and redirect legitimate users to scam or adult-oriented websites.
Infrastructure overlaps link this activity to ESET’s “Group 9” cluster and share functional similarities with Cisco Talos’s “DragonRank” campaign.
In March 2025, Unit 42 researchers uncovered an advanced SEO poisoning campaign dubbed Operation Rewrite, attributed to a Chinese-speaking threat actor tracked as CL-UNK-1037.
BadIIS integrates directly into the IIS request pipeline, granting full server privileges. Once deployed on compromised servers, the module inspects incoming HTTP requests.
When a search engine crawler visits, BadIIS intercepts the request, queries its C2 server for keyword-rich HTML, and serves this content to the crawler.
As a result, the compromised site gains indexing credit for high-traffic search terms—often tied to gambling, pornography, or illegal streaming.
Unit 42 observed configuration targeting East and Southeast Asia, with crawler keywords including “viet,” “coccoc,” and “timkhap,” as well as global engines such as Google and Bing.
When a genuine user clicks a poisoned result, BadIIS identifies the request via the Referer header, fetches a redirect payload from its C2 server, and proxies the victim to scam content. This two-phase attack maximizes domain reputation while cloaking malicious intent from typical users and defenders.
Arsenal: Variants Beyond BadIIS
Beyond the core native module, researchers discovered three additional variants:
- ASP.NET Page Handler: A lightweight C# script that hooks into the
Page_Loadevent to inspect referer headers. Search engine bots receive dynamically generated SEO content, while other visitors are proxied to malicious URLs. - Managed .NET IIS Module: A full-featured C# implant that hijacks 404 responses and injects spam links into valid pages. It indexes nonexistent URLs for SEO poisoning and dynamically alters live pages for search bots.
- All-in-One PHP Front-Controller: A standalone PHP script performing referer and user-agent checks. It generates fake XML sitemaps for Googlebot and rewrites content on crawl, while proxying mobile user traffic laden with scam redirects.
These variants demonstrate the threat actor’s adaptability, enabling rapid deployment across diverse hosting environments and avoiding detection by traditional native module hunters.
Linguistic artifacts—including the Pinyin object name chongxiede (重写, “rewrite”) and simplified Chinese comments in PHP variants—point to Chinese-speaking developers.
ESET’s Group 9 campaign shares identical registry techniques (RegisterModule, OnBeginRequest, OnSendResponse) and overlapping C2 domains (e.g., 008php[.]com, yyphw[.]com, 300bt[.]com), confirming a shared codebase or collaborative infrastructure.
Though no direct domain overlap links CL-UNK-1037 to Cisco Talos DragonRank, both campaigns use SEO poisoning and proxying logic, suggesting evolutionary tool development.
Mitigations
Security teams should monitor IIS module registrations and scheduled tasks for anomalous entries.
Network defenders can leverage advanced detection capabilities in Palo Alto Networks’ Advanced WildFire, Advanced URL Filtering, Advanced DNS Security, and Cortex XDR to identify and block malicious payload retrieval and proxy traffic.
Immediate incident response by Unit 42 is advised for suspected compromises, with detailed indicators of compromise available through the Unit 42 Incident Response team.
By understanding the multi-phased lure-and-trap flow—crawler poisoning followed by victim redirection—and the expanding toolkit of native and script-based implants, organizations can bolster IIS security, institute strict module integrity checks, and proactively hunt for similar SEO-poisoning threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Post Comment