UAT-8099 is a Chinese-language cybercrime group engaged in sophisticated server compromise operations, primarily targeting Microsoft Internet Information Services (IIS) web servers for financial gain through search-engine optimization (SEO) fraud and credential/data theft. First publicly documented in 2025, UAT-8099’s activity has evolved into a highly regionalized threat campaign spanning parts of Asia, with continuing activity into early 2026.

What Makes UAT-8099 Significant?

Unlike commodity malware groups, UAT-8099 is notable for combining multiple advanced tactics:

• Server-side SEO poisoning: Instead of typical phishing or exploit-based infection vectors, they compromise legitimate web servers and implant malware to alter HTTP responses, redirecting search engine crawlers to SEO-fraud sites.

• Persistent server control: Through web shells, PowerShell scripts, and legitimate tools such as GotoHTTP and SoftEther VPN, the group maintains remote access to compromised hosts.

• Adaptable persistence techniques: When commonly used system account names (like admin$) are blocked by defenders, UAT-8099 automatically pivots to alternatives like mysql$, admin1$, admin2$, or power$ to sustain footholds.

How UAT-8099 Operates

The attack chain follows a pattern seen in server compromise operations but with notable customizations:

1. Initial Access & Exploitation
   Vulnerable IIS servers—often exposed due to weak upload restrictions or unpatched vulnerabilities—are exploited to drop a web shell.

2. Reconnaissance and Tool Deployment
   Standard enumeration commands (e.g., whoami, tasklist) precede the deployment of tools to establish persistence and evade detection.

3. Malware Deployment
   The group deploys custom variants of the BadIIS malware, adapted for regional SEO targets (e.g., Vietnam vs. Thailand), and often packaged within zip archives named by region (e.g., TH.zip, VN.zip).

4. Persistence & Control
   Hidden user accounts are created, and remote access is facilitated using legitimate remote tools. Scripts and automation streamline reinfection and service restart if disrupted.

5. SEO Poisoning & Redirect Logic
   The malware inspects incoming HTTP requests; if a search engine crawler is detected, it redirects to SEO fraud content. For regular users with specific locale headers (like Thai Accept-Language), it injects malicious JavaScript to influence search rankings.

Campaign Scope and Victimology

While targeting is broad, the most heavily impacted regions include:

• Thailand and Vietnam — primary focus in recent campaigns.

• Additional observed victims in India, Pakistan, Japan, Canada, and Brazil in earlier phases of campaigns.

Typical targets are high-visibility IIS servers, such as those belonging to technology firms, universities, telecom providers, and other organizations whose domain authority can be abused for SEO manipulation.