VERY IMPORTANT

A Chinese-speaking cybercrime group, REF4033, has orchestrated a massive SEO poisoning campaign, compromising over 1,800 Windows web servers worldwide using the BADIIS malware. The campaign operates in two phases: serving keyword-stuffed HTML to search engine crawlers and redirecting victims to illicit websites. The group deploys BADIIS, a malicious IIS module, to hijack legitimate servers for manipulating search engine rankings and facilitating financial fraud. The campaign primarily targets the APAC region, with China and Vietnam accounting for 82% of compromised servers. Victims span various sectors, including government agencies, educational institutions, and financial services. The attackers use sophisticated techniques for stealth and anti-tampering, employing Chinese encryption standards and commercial obfuscation tools.