Over 1,800 Windows IIS servers worldwide have been compromised in a large-scale search engine optimization (SEO) poisoning campaign driven by the BADIIS malware, a malicious IIS module used to hijack legitimate web traffic.
The operation, tracked by Elastic Security Labs as REF4033, is attributed to a Chinese-speaking cybercrime group that monetizes these compromised servers by redirecting users to illicit gambling, pornography, and cryptocurrency scam sites.
The investigation showed strong overlaps with earlier research from Cisco Talos on threat group UAT-8099 and Trend Micro’s reporting on BadIIS-style SEO fraud campaigns abusing IIS servers in Asia.
More than 1,800 Windows web servers have been identified as compromised, including infrastructure belonging to governments, educational institutions, and corporate organizations in Australia, Bangladesh, Brazil, China, India, Japan, Korea, Lithuania, Nepal, and Vietnam.
In November 2025, Elastic Security Labs investigated an intrusion at a multinational organization in Southeast Asia and traced it back to a wider BADIIS-driven SEO poisoning campaign.
REF4033 follows the same playbook seen in prior BadIIS-style operations: poisoned search results are used to drive traffic into a “vice economy” of illegal online casinos, adult content, and high-risk crypto platforms.
Around 30% of victim servers are hosted on major cloud providers such as AWS, Azure, Tencent Cloud and Alibaba Cloud distributed across regional telecom networks.
One notable example is a fraudulent staking platform hosted at uupbit[.]top that impersonates Upbit, a leading South Korean cryptocurrency exchange, highlighting the financial fraud component of the campaign.
BADIIS Deployment
Attackers rapidly moved from initial access on a Windows IIS server to full BADIIS module deployment in less than 20 minutes, starting from a web shell running under the w3wp.exe worker process.
The threat actor created a new local account, escalated privileges by adding it to the Administrators group, and then installed a malicious Windows service named WalletServiceInfo that loaded an unsigned DLL from the ProgramData directory.
Security telemetry from Elastic Defend flagged the suspicious service behavior and the use of direct syscalls from the malicious module, indicating an attempt to evade user-mode security hooks.
Analysis of the associated executable, CbsMsgApi.exe, showed Chinese Simplified strings and a PDB path referencing an IIS-focused project, reinforcing the assessment of a Chinese-speaking operator.
This loader creates the WalletServiceInfo service and registers CbsMsgApi.dll as a ServiceDLL under svchost.exe, then hardens the service’s security descriptor to resist tampering and removal.
During execution, the DLL stages three masqueraded files in C:WindowsSystem32drivers, two of which are the 32-bit and 64-bit BADIIS modules, and one that contains IIS configuration fragments later injected into DefaultAppPool configuration files.
The malware copies these modules into the .NET Framework directory and programmatically updates IIS’s
SEO Poisoning Attack
The BADIIS modules implement conditional injection logic that serves different content based on headers such as User-Agent and Referer, and on the geographic configuration of each compromised server.
Once loaded, BADIIS module deployment operates as a native IIS module, hooking request processing inside w3wp.exe and giving attackers fine-grained control over which traffic to manipulate while remaining largely invisible to administrators.
Configuration data is stored in encrypted form and decrypted on the server using the SM4 block cipher in ECB mode (with older variants using AES-128), then fetched from region-specific text files hosted on country-coded subdomains like kr.gotz003[.]com and vn.gotz003[.]com.
These text files define URLs for subnet filters, backlink lists, redirection targets, and SEO content generators, enabling the actors to tune behavior by country and by traffic source.
BADIIS distinguishes between search engine crawlers and normal users by inspecting User-Agent and Referer, prioritizing bots such as Googlebot and Bingbot for injection.
For non-existent pages requested by crawlers, the module replaces 404 responses with SEO content retrieved from attacker-controlled infrastructure, returning a 200 status code to ensure indexing of the poisoned content.
For human visitors arriving from search engines, the module can serve a loading-page template with JavaScript-based auto-redirects, often only when the User-Agent suggests a mobile device, thereby pushing users to gambling or phishing destinations while keeping casual manual checks clean.
Across the REF4033 clusters, Elastic observed heavy focus on APAC, with China and Vietnam together accounting for more than 80% of compromised servers, and redirection flows closely aligned with each server’s geography.
This activity strongly overlaps the UAT-8099 ecosystem tracked by Cisco Talos and the BadIIS SEO manipulation campaigns documented by Trend Micro and other vendors, underscoring that defenders should treat “BADIIS-style” IIS SEO poisoning as a persistent, evolving threat family rather than a single malware strain.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
