A newly identified search engine optimization manipulation campaign has compromised the security of Internet Information Services (IIS) servers worldwide. Trend Micro researchers have uncovered a financially motivated SEO manipulation attack leveraging malware known as BadIIS, targeting organizations across Asia and beyond.
The BadIIS SEO Attack Explained
BadIIS is a sophisticated malware variant that enables cybercriminals to manipulate search engine rankings and redirect unsuspecting users to illicit websites. The latest campaign, which has primarily affected India, Thailand, and Vietnam, demonstrates how attackers exploit vulnerable IIS servers to deploy BadIIS and monetize their activities through illicit gambling promotions and malware distribution.
According to researchers, once an IIS server is compromised, BadIIS alters its responses to web requests. Users who attempt to access legitimate content will instead be redirected to one of two potential destinations:
- Illegal gambling websites – Redirected traffic is monetized through illicit gambling operations, generating revenue for threat actors.
- Malicious servers – Visitors may be unknowingly directed to attacker-controlled sites hosting malware or phishing pages, further endangering their devices and personal data.
BadIIS Attack Impact and Victims
Although the campaign primarily targets Asian countries, including India, Thailand, Vietnam, the Philippines, Singapore, Taiwan, South Korea, and Japan—its effects extend beyond regional boundaries. Researchers have also identified compromised IIS servers in Brazil, and Bangladesh has been flagged as a potential target.
These attacks have been observed on IIS servers owned by government entities, universities, technology firms, and telecommunications providers. The analysis of victims indicates that while most victims reside in the same geographic region as the compromised server, some have been impacted after visiting infected websites hosted elsewhere.
Chinese-Speaking Threat Actors Suspected to Be Behind BadIIS
Analysis of domain registrations, embedded strings, and code structures suggests that the campaign may be operated by Chinese-speaking cybercriminal groups. The malware’s behavior and coding similarities align with previously observed tactics used by Group11, a threat actor discussed in a 2021 Black Hat USA white paper. Notably, the new BadIIS variant features an OnSendResponse handler instead of OnBeginRequest, a technical shift that reflects an evolving attack methodology.
How BadIIS Manipulates SEO for Profit
The core of this campaign revolves around SEO fraud, leveraging IIS vulnerabilities to manipulate search engine results and drive traffic to illegitimate sites. The malware checks HTTP request headers for User-Agent and Referer fields, particularly looking for keywords associated with search engines such as Google, Bing, Baidu, and Naver. If detected, the malware redirects users to fraudulent gambling sites rather than the intended legitimate content.
List of targeted keywords:
User-Agent field: 360, baidu, bing, coccoc, daum, google, naver, sogou, yisou
Referer field: baidu.com, bing.com, Coccoc, daum.net, google, naver.com, so.com, sogou.com, sm.cn
In addition to SEO fraud, BadIIS operates in injector mode, inserting malicious JavaScript code into the response sent to legitimate visitors. This technique allows attackers to dynamically load and execute malicious scripts, further compromising user security.
How to Protect IIS Servers
Microsoft’s Internet Information Services (IIS) is a widely used web server platform that powers numerous organizations’ online services. However, its broad adoption also makes it an attractive target for cybercriminals, as evident by this latest BadIIS campaign. Exploiting IIS vulnerabilities allows attackers to inject malicious content into legitimate websites, putting both site owners and visitors at risk.
The consequences of compromised IIS servers extend beyond technical damages, as organizations risk losing customer trust, facing legal repercussions, and suffering reputational harm due to their sites being used to distribute malicious content. Organizations can adopt the following practices to mitigate any risks and avoid falling victim to BadIIS or a similar operation, as advised by TrendMicro:
- Identify and patch vulnerabilities – Regularly scan IIS servers for security weaknesses and apply critical updates to prevent exploitation.
- Monitor for suspicious module installations – Detect unexpected IIS module installations, especially those located in uncommon directories.
- Strengthen access controls – Restrict administrator access, enforce multi-factor authentication (MFA), and use strong, unique passwords for all privileged accounts.
- Deploy firewalls and network security measures – Control and monitor network traffic to and from IIS servers to limit exposure to unauthorized access.
- Continuously monitor IIS logs – Keep a close eye on server activity, looking for anomalies such as unusual traffic spikes or unexpected file modifications.
- Harden IIS configurations – Reduce the attack surface by disabling unnecessary services and features, ensuring only essential functions remain active.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: