Targeted Attacks on IIS Servers by UAT-8099 Uncovered by Cisco Talos
Recent research from Cisco Talos reveals a new campaign conducted by the group UAT-8099, focusing on vulnerable Internet Information Services (IIS) servers, particularly in Thailand and Vietnam. This campaign, which appears to be active from late 2025 into early 2026, shows operational ties to the previously identified WEBJACK campaign.
UAT-8099 employs a sophisticated attack strategy involving web shells, PowerShell, and the GotoHTTP tool to gain remote access to compromised IIS servers. The latest variants of their malware, BadIIS, have been modified to hardcode specific regional characteristics, such as unique file and directory names, to increase their effectiveness. The threat actor also utilizes a mix of legitimate tools alongside sophisticated malware to maintain persistence and evade detection. Detailed behavioral analysis indicates systematic reconnaissance, account creation for unauthorized access, and the deployment of additional malware versions targeting specific regions.
The implications of this campaign are significant, as attackers are tailoring their malicious activities for localized effects, potentially impacting the integrity and availability of web services in targeted countries. Organizations using IIS in the affected regions are at risk, especially if they have not updated or secured their systems against these new variants.
Why this matters: This campaign underscores the evolving landscape of cybersecurity threats with tailored attacks that focus on geographical vulnerabilities. Security teams must remain vigilant, ensuring that systems running IIS are patched and monitored effectively against such threats.
Recommended Security Measures: Employ threat intelligence feeds, SIEM solutions, and robust firewall configurations to detect unusual activities on IIS servers. Regular vulnerability assessments can identify potential weaknesses that UAT-8099 could exploit.
Indicators of Compromise (IOCs):
- New user accounts: “admin$”, “mysql$”, “admin1$”, “admin2$”, “power$”
- Specific file, directory, and malware names indicating targeted regions (e.g., “VN”, “TH” in archive names)
- Examples of malicious scripts: “gotohttp.ini”
- Malware hashes, command-and-control (C2) domains (not provided in the article but referenced as available in Talos’s GitHub repository).
For more technical details and specific IOCs, refer to Talos’s comprehensive documentation and their GitHub repository.
