• - Cisco Talos has identified a new campaign by UAT-8099, active from late 2025 to early 2026, that is targeting vulnerable Internet Information Services (IIS) servers across Asia with a specific focus on victims in Thailand and Vietnam. • - Analysis confirms significant operational overlaps between this activity and the WEBJACK campaign. • This includes critical indicators of compromise including malware hashes, command and control (C2), and victimology. • - UAT-8099 uses web shells and PowerShell to execute scripts and deploy the GotoHTTP tool, granting the threat actor remote access to vulnerable IIS servers. • - New variants of BadIIS now hardcode the target region directly into the malware, offering customized features for each specific variant. • These customizations include exclusive file extensions, corresponding dynamic page extensions, directory indexing configurations, and the ability to load HTML templates from local files.
Article Summaries:
- Cisco Talos has identified a new UAT‑8099 campaign active from late 2025 to early 2026 that targets vulnerable Internet Information Services (IIS) servers across Asia, with a sharp focus on Thailand and Vietnam. The operation shares key indicators-malware hashes, command‑and‑control infrastructure, and victim profiles-with the WEBJACK campaign. UAT‑8099 deploys web shells, PowerShell scripts, and the GotoHTTP remote‑control tool, and has released new BadIIS variants that hardcode regional targets, customize file extensions, and load local HTML templates. A Linux ELF variant was also posted to VirusTotal. The threat actors now use legitimate utilities and red‑team tools to maintain persistence and evade detection.
Sources: