VERY IMPORTANT

UAT-8099's latest campaign from August 2025 to early 2026 targets vulnerable IIS servers across Asia, focusing on Thailand and Vietnam. The threat actor employs web shells, PowerShell scripts, and the GotoHTTP tool for remote access. New BadIIS variants are customized for specific regions, with enhanced persistence mechanisms and SEO fraud tactics. The malware now includes features like hardcoded target regions, exclusive file extensions, and the ability to load HTML templates. A Linux ELF variant of BadIIS was also identified. The campaign shows significant operational overlaps with the WEBJACK campaign, including shared malware hashes, C2 infrastructure, and victimology.