Introduction

WithSecure’s STINGR has been investigating a malware campaign, tracked as WEBJACK, which compromises Microsoft IIS servers to deploy malicious IIS modules belonging to the BadIIS malware family. The hijacked servers are being abused for SEO poisoning and fraud, redirecting users to casino, gambling, or betting websites. The threat actor has compromised high-profile targets, including government institutions, universities, tech firms, and many other organizations, abusing their domain reputation to serve fraudulent content through search engine results pages (SERPs).

The initial infection vector remains unknown, but prior BadIIS intrusions have leveraged vulnerable web applications, stolen administrator credentials, and access purchased from initial-access brokers. It is plausible that the WEBJACK operators used similar methods to gain control of the IIS servers before installing their custom modules.

To conduct their attack, the threat actor deployed a variety of tools and malware often circulated within the Chinese-speaking cybercriminal ecosystem. Among other indicators, this highly suggests that a Chinese-speaking threat actor is behind the operation.

WithSecure’s STINGR also noted similar operations recently reported by Talos, Unit42, and ESET. These operations share many similarities, including their objectives and TTPs, however we currently track these as related, but separate activity clusters. 

Malicious IIS Module

The core of WEBJACK lies in its IIS modules. The attacker deployed the malicious IIS modules as “fashttp.dll” (also seen as “fasthttp.dll”) and “cgihttp.dll”. Both were packed with Enigma, a commercial software protector often abused by malware operators to make reverse engineering and detection more difficult.

The DLLs export a “RegisterModule” function which serves as the entry point for IIS native modules. Inside “RegisterModule”, the module registers a factory that returns instances of a class derived from “CHttpModule” to handle incoming HTTP requests, the same pattern documented in earlier BadIIS activities. The decompiled code also shows the module constructing the attacker-controlled URL used for page injection and redirector logic. While “RegisterModule” is common to legitimate IIS modules, the combination of this pattern and the URL construction strongly support this sample being a continuation of the BadIIS family, with only slight modifications. 

Analysis of these BadIIS malware variants also revealed embedded Program Database (PDB) file paths and compilation timestamps dating to July 2025. Such artifacts provide useful insights into the development environment behind the campaign. The observed PDB strings include:

• C:\Users\Administrator\Desktop\IIS\IISHijack\Release\IISHijack.pdb
• C:\Users\Administrator\Desktop\IIS\IISHijack\x64\Release\IISHijack.pdb

SEO Fraud Operations

Using the malicious IIS modules described above, the operator implemented a large-scale search engine manipulation scheme. The module selectively serves attacker-controlled content to search engine crawlers while showing different response (redirects or 404s) to ordinary visitors. The objective is straightforward; the attackers aim to get fraudulent SEO-optimized content indexed across search engines under legitimate domains and then funnel real users who click those indexed links to monetized destinations such as gambling sites.

The module inspects the incoming request and branches based on request characteristics, including:

• User-Agent – to detect crawlers (the code specifically checks for Bingbot, Googlebot, Coccocbot, and Yahoo).
• HTTP Referer – to determine if a human visitor arrived via a search engine result.
• Operator configuration – which determines whether the instance uses page injection, redirector, or link injection logic.

Depending on the configuration, the module behaves in one of three modes explained below.

Page Injection

In this mode, the module serves content from attacker infrastructure such as “seo[.]667759[.]com” and “w3c[.]sneaws[.]com”. Older variants encoded parameters in Base64 using the format: “URL_HOSTS.'[H]'.$_SERVER['REQUEST_URI'].'[H]VN'”. The resulting string is appended to the URL path, for example: “w3c[.]sneaws[.]/<ENCODED_BASE64>”. 

Newer variants shift to cleartext parameters, for example: “tdk[.]hunanduodao[.]com/tdk.php?domain=<REDACTED>.com&path=<REDACTED>.shtml”. If the visitor is not a crawler, the server returns a 404 response.

In many cases the module creates new pages under the compromised domain to host the injected content rather than modifying existing site pages. Serving attacker-controlled content from newly created paths helps conceal the technique by avoiding changes to the site’s visible pages where administrators and users are most likely to notice tampering.

Page injection represents the main mechanism through which the attackers achieve search engine visibility. The module delivers SEO-optimized content and backlinks only to web crawlers, ensuring that search engines index the attacker-controlled pages under legitimate domains. This approach allows the poisoned content to inherit the reputation and ranking of trusted sites, significantly increasing its visibility and likelihood of being clicked. Normal visitors, however, do not see this injected content, they receive the original page or a 404 response, keeping the manipulation hidden while the attackers benefit from the indexed traffic. These indexed results later serve as entry point for redirecting users to monetized destinations such as gambling sites. 

Redirector

In most deployments, the page injection logic extends with a redirector. The module examines the “HTTP Referer” field to determine where the visitor comes from. If the visitor arrived via Google or another search engine, the module redirects them to gambling websites. If no referrer is present, the server responds with 404.

This behavior represents the monetization phase of the operation. Once the attacker-controlled content is indexed through the page injection mechanism, real users who click those poisoned search results are seamlessly redirected to fraudulent or monetized destinations. These two staged processes, first manipulating search engine indexing, then redirecting legitimate traffic, ensure that the attackers profit from organic search visibility while keeping the underlying compromise hidden from site owners and casual visitors.

By only redirecting users that originates from search results, the threat actors maintain a low operational footprint, reducing the likelihood of detection by administrators manually visiting their websites. 

Link Injection

In this configuration, the module retrieves a randomized daily link list from the threat actors’ servers such as “seo[.]667759[.]com” or “google[.]sneaws[.]com/getpath” and inserts it at the top of the page, but only when a crawler visits. Non-crawler visitors simply see the original page, concealing the fraud operations entirely.

The primary purpose of this behavior is backlink generation and rank manipulation. By injecting backlinks and tailored anchor text on many otherwise reputable compromised domains, the operators attempt to transfer credibility and relevance to their attacker-controlled pages. Rotating the link list daily helps the links appear fresh and less suspicious, while distributing links across many hosts scales the effect and makes takedown more difficult. These techniques are consistent with known black-hat SEO strategies. They increase perceived authority and topical relevance, so attacker pages are more likely to appear in search results, which are then monetized through the page-injection and redirector stages.

Tooling & Payloads

Beyond the malicious IIS modules, the threat actor staged a range of tools and malware on the compromised servers to conduct their post-compromise activity. These tools are widely available in China’s red-team and penetration-testing communities but have been repurposed here for malicious use:

• XlAnyLoader – a shellcode loader used to execute “ca.bin” payload. It is unclear what “ca.bin” contained, but the loader can run any payload converted with Donut, which generates shellcode from PE files. This allows the execution of Cobalt Strike, Mimikatz, or any custom implants. The tool is actively marketed in Chinese language forums as being able to bypass popular antivirus solutions.
• SoftEther VPN – commonly abused by threat actors in malware campaigns for remote access and tunnelling. The VPN installers dropped in this campaign were infected with the “m0yv” file infector, a parasitic virus that attaches itself to executables. This could indicate that the attackers sourced the software from a compromised repository, or that they themselves were already infected.
• FScan – a popular internal network scanner used for reconnaissance, was also observed carrying the “m0yv” infection.
• Sharp4RemoveLog – a utility written in .NET to clear all Windows event logs, typically used to erase forensic traces. 
• CnCrypt Protect – a Chinese file-protection utility. It offers capabilities such as file and registry protection, DLL and drive interception, file redirection, port redirection, and other interception/protection features. In intrusion context it has been abused to hide malicious files and support DLL redirection to malicious DLLs, increasing the operator’s ability to conceal artifacts on compromised hosts. 
• GoToHTTP – a HTTP-based remote-control/C2 utility, also observed carrying the “m0yv” infection.
• Cobalt Strike beacon – observed on compromised servers. One beacon connected externally to “79[.]142[.]76[.]244”, while another instance was seen communicating with an internal IP, likely routed through SoftEther VPN.

The use of these tools reflects how penetration-testing and red-team utilities are increasingly being adopted by threat actors. Instead of developing custom malware, they rely on what is already effective, trusted, and easily available. 

Infrastructure Insights

We identified at least 112 compromised domains running IIS servers as part of this campaign, with at least 65% located in Vietnam. The remainder were spread across Latin America and Asia, with a few isolated cases identified in Europe such as France. The true number is likely higher, as additional compromised servers may not yet have been uncovered.

The affected domains spanned a mix of sectors, most notably government, education, and public service websites, suggesting the operators opportunistically compromise high-profile or high-traffic IIS servers to maximize visibility for their SEO fraud operations rather than pursuing sector-specific objectives. 

During investigation, PHP error messages leaked from threat actor-controlled servers. These exposed backend file paths such as:

• /www/wwwroot/seo[.]667759[.]com/core/urlecxcel.php
• /www/wwwroot/google[.]sneaws[.]com/core/urlecxcel.php
• /www/wwwroot/google2[.]sneaws[.]com/core/pdo.php

Additional errors also revealed URLs like:

• Warning: file_get_contents(https://jkt[.]667759[.]com/serveradmin.php?Method=index&Pajax=successfml): failed to open stream: HTTP request failed!
• Warning: file_get_contents(https://jk[.]667759[.]com/serveradmin.php?Method=index&Pajax=success): failed to open stream: HTTP request failed!
• Warning: file_get_contents(https://jk[.]667759[.]com/serveradmin.php?Method=index&Pajax=success): failed to open stream: HTTP request failed!

These errors are significant because they revealed the backend architecture powering the SEO fraud and redirection systems. They also showed that the threat actors were working in a messy live environment where configuration errors exposed their infrastructure. Further analysis of several web panels linked to the infrastructure uncovered Chinese words and developer comments embedded within the panel code and HTML templates. This linguistic evidence reinforces the campaign’s Chinese nexus, aligning with the tooling and behavioral patterns observed throughout the operation.

This exposure provided valuable pivot points for mapping related infrastructure, identifying compromised victims, and tracking the operators’ border activity set.

Downstream Victimology

The injected content showed a strong focus on gambling-related keywords and regional targeting across Southeast Asia and Latin America. Keywords included bet, casino, vegas, zinga, fun88, and many others. Approximately 70% of the keywords were in Vietnamese, with the remainder in English and Spanish. 

Compromised sites, mostly educational institutions, provincial government portal, and small business websites, remained largely in their original languages, with Vietnamese and Thai pages among the most common in Asia, and Spanish pages prevalent across the Latin American infections. This reinforces the campaign’s focus on local-language SEO manipulation to attract users searching for gambling or “quick win” opportunities in their own regions.

Attribution

The tools and operational characteristics observed in this campaign indicate a strong Chinese nexus. Tools such as XlAnyLoader, FScan, Sharp4RemoveLog, and CnCrypt Protect are of Chinese origin and widely used in both red-team and intrusion contexts.

One of the dominant threat actors engaging in such operations as highlighted in previous reporting is DragonRank. However, attribution of this activity cluster to DragonRank remains low. The group’s Telegram contact shifted from “tttseo” to “ggfa55”, as reflected on their website “ttseo66[.]com”, suggesting the DragonRank remains active. However, this campaign lacked other strong DragonRank hallmarks such as PlugX or the “mail[.]tttseo[.]com” C2 server. DragonRank also continues to openly promote its services on legitimate websites globally though SEO poisoning, while WEBJACK appears to be a narrower monetization-focused operation.

Mitigation

To mitigate the risk of IIS hijacking similar to WEBJACK, organizations should proactively monitor for unauthorized IIS modules such as “fashttp.dll” or “cgihttp.dll”. Continuous monitoring and auditing of network traffic and system logs can help surface suspicious behaviour early on, especially when servers return different content to crawlers versus regular visitors. Outbound connections to known threat actor infrastructure should also be closely tracked.  

Since the campaign made use of widely available tools like XlAnyLoader, Fscan, Sharp4RemoveLog, and CnCrypt, organizations should remain alert for their presence within enterprise environments. These tools may not always be malicious in isolation, but their deployment alongside IIS hijacking activity is a strong indicator of compromise. 

By combining proactive module checks with behavioural monitoring of both network traffic and tool usage, organizations can significantly reduce the likelihood of this activity escalating into data theft.

Conclusion

WEBJACK illustrates how IIS hijacking continues to evolve. The threat actors combined custom modules with Chinese developed red-team tools, enabling SEO poisoning, gambling traffic redirection, and effective concealment of their activities.

The campaign’s targeting reflects a deliberate focus on Southeast Asia audiences, particularly Vietnamese and Thai speakers, demonstrating how operators tailor SEO-driven operations to specific regional and language communities to maximize reach and profit. 

While WEBJACK currently appears focused on SEO fraud and gambling redirection, the use of tools such as CnCrypt Protect and XlAnyLoader shows a growing trend of leveraging legitimate security and administrative software for persistence, concealment, and post-exploitation flexibility. As with previous BadIIS campaigns, IIS hijacking continues to pose significant risks that will go beyond SEO abuse. 

Special thanks to Bert Steppe for his contributions to the investigation.

TTP

Indicators of Compromise (IOCs)