A group of Chinese-speaking cybercriminals, known as UAT-8099, has been linked since April 2025 to frauds in search engine optimization (SEO) and the theft of valuable credentials. The attacks have primarily targeted Microsoft Internet Information Services (IIS) servers, affecting universities, tech companies, and telecommunications providers in countries such as India, Thailand, Vietnam, Canada, and Brazil.
Beware… even with your SEO!
This group uses a variety of tools, such as Cobalt Strike and BadIIS, in addition to automated scripts that evade security defenses. These methods allow them to manipulate SEO rankings by uploading web shells to vulnerable servers. A specific variant of the malware has been observed to adapt to evade detection by antivirus software and is activated upon detecting requests from Google.
According to reports from cybersecurity researchers, UAT-8099 manipulates search rankings by focusing on high-value and reputable IIS servers in the target regions. The backlinking technique they employ is conventional, designed to increase the visibility of websites, but it carries the risk of penalties from Google if the quality of these links is not adequate.
Once they manage to compromise a server, the group establishes measures to maintain control, such as enabling guest account access and using the Remote Desktop Protocol (RDP) to access IIS servers. This persistence allows them to search for valuable data within the compromised systems, which can then be resold or further exploited.
While it is unclear how many servers have been compromised to date, the sophistication and adaptability of the UAT-8099 group stand out in the growing threat of SEO-based cyber fraud, raising serious concerns about the security of global digital infrastructures.