{"id":4700,"date":"2025-10-03T14:17:16","date_gmt":"2025-10-03T14:17:16","guid":{"rendered":"https:\/\/www.stanventures.com\/news\/?p=4700"},"modified":"2025-10-31T13:51:32","modified_gmt":"2025-10-31T13:51:32","slug":"badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud","status":"publish","type":"post","link":"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/","title":{"rendered":"BadIIS: Chinese Hackers Hijacking IIS Servers for SEO Fraud"},"content":{"rendered":"<p><b>A Chinese-speaking cybercrime group, tracked as UAT-8099, is exploiting Microsoft IIS servers in India, Thailand, Vietnam, Canada, and Brazil. Cisco Talos researchers report that the attackers use custom malware, stolen credentials, and automation to conduct SEO fraud and harvest sensitive data from compromised systems.<\/b><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4703\" title=\"BadIIS: Chinese Hackers Hijacking IIS Servers for SEO Fraud\" src=\"https:\/\/www.stanventures.com\/news\/wp-content\/uploads\/2025\/10\/ChatGPT-Image-Oct-3-2025-01_58_18-PM.avif\" alt=\"BadIIS: Chinese Hackers Hijacking IIS Servers for SEO Fraud\n\" width=\"1536\" height=\"1024\" srcset=\"https:\/\/www.stanventures.com\/news\/wp-content\/uploads\/2025\/10\/ChatGPT-Image-Oct-3-2025-01_58_18-PM.avif 1536w, https:\/\/www.stanventures.com\/news\/wp-content\/uploads\/2025\/10\/ChatGPT-Image-Oct-3-2025-01_58_18-PM-300x200.avif 300w, https:\/\/www.stanventures.com\/news\/wp-content\/uploads\/2025\/10\/ChatGPT-Image-Oct-3-2025-01_58_18-PM-1024x683.avif 1024w\" sizes=\"auto, (max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<p><a href=\"https:\/\/blog.talosintelligence.com\/uat-8099-chinese-speaking-cybercrime-group-seo-fraud\/\">Cisco Talos<\/a> identified the group in April 2025 after analyzing DNS traffic and infected file samples.\u00a0<\/p>\n<p>UAT-8099 focuses on IIS servers run by universities, telecom providers, and technology companies. These servers carry high reputational weight, making them valuable targets for manipulating search engine results.<\/p>\n<p>The campaign involves two parallel goals:<\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Boosting the rankings of malicious sites through backlink manipulation and cloaking,<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Collecting sensitive files such as AWS keys, SSL certificates, and database credentials.<\/li>\n<\/ul>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\"><\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#how-uat-8099-slips-in\" >How UAT-8099 Slips In<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#the-malware-that-makes-it-all-work\" >The Malware That Makes It All Work<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#beyond-seo\" >Beyond SEO<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#the-victims-from-asia-to-the-americas\" >The Victims: From Asia to the Americas<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#a-glimpse-into-their-playbook\" >A Glimpse Into Their Playbook<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#why-this-should-alarm-seos\" >Why This Should Alarm SEOs<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#what-you-can-do-right-now\" >What You Can Do Right Now<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#the-bigger-picture\" >The Bigger Picture<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#key-takeaways\" >Key Takeaways<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"how-uat-8099-slips-in\"><\/span><b>How UAT-8099 Slips In<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The attackers look for IIS sites that accept uploads without validating file types. They drop a web shell disguised as an ordinary file. That shell gives them command access and a way to run follow-up commands on the server.<\/p>\n<p>Once they have that foothold, they move predictably:<\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Activate a guest account, assign a password, and add it to the Administrators and Remote Desktop Users groups.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Enable RDP so they can connect interactively.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Create hidden administrator accounts for long-term access.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Install VPN and proxy tools such as SoftEther, EasyTier and FRP to ensure remote access even if direct RDP is blocked.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Set up scheduled tasks and DLL sideloading to launch backdoors like BadIIS and Cobalt Strike persistently.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Deploy utilities that dump credentials and collect configuration files for exfiltration.\n<\/li>\n<\/ol>\n<p>Those steps let the group move from a single uploaded file to full control of the server, plus a resilient remote access channel and a mechanism to harvest sensitive data.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"the-malware-that-makes-it-all-work\"><\/span><b>The Malware That Makes It All Work<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The real power of the operation comes from malware called <b>BadIIS<\/b>, which rewires how servers respond to requests. It can be linked to a trickster sitting at the server\u2019s front desk, showing one thing to Google\u2019s web crawlers and something else entirely to human visitors.<\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>When Googlebot visits:<\/b> BadIIS feeds it backlinks or cloaked content that makes fraudulent sites look more important than they really are.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>When a person visits through search results:<\/b> BadIIS injects JavaScript that redirects them to gambling, scam, or fake ad sites.<\/li>\n<\/ul>\n<p>This is not a new phenomenon in SEO abuse, but what makes it particularly dangerous is the scale.\u00a0<\/p>\n<p>By compromising trusted servers, the group gives their fake backlinks the kind of authority spammers could only dream of.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"beyond-seo\"><\/span><b>Beyond SEO<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Manipulating rankings is only half the story. UAT-8099 also treats compromised servers like treasure chests, digging for credentials and sensitive files.<\/p>\n<p>They use tools like Procdump and WinRAR to pull out:<\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\">AWS and cloud credentials<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">SSL certificates<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Database logins<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Configuration files with sensitive details<\/li>\n<\/ul>\n<p>These are not merely fragments of information. They serve as crucial keys that can unlock entire infrastructures, be resold for profit, or facilitate even more profound breaches.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"the-victims-from-asia-to-the-americas\"><\/span><b>The Victims: From Asia to the Americas<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Cisco Talos researchers found UAT-8099\u2019s fingerprints on IIS servers in multiple regions. Universities, technology companies, and telecoms have all been hit.\u00a0<\/p>\n<p>The compromised servers frequently redirected users to gambling websites, often localized by language: Thai, Portuguese, or English.<\/p>\n<p>Both Android and iPhone users were targeted with fake apps. In some cases, users in one country were hit through servers based in another, creating an international ripple effect.<\/p>\n<p>The consequences are devastating for businesses. One day, your server quietly redirects traffic to illegal sites. The next, your brand is flagged by Google, and your organic rankings vanish.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"a-glimpse-into-their-playbook\"><\/span><b>A Glimpse Into Their Playbook<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Let&#8217;s take a closer look at the specific tools and routines they use.<\/p>\n<h3><b>Automation for Efficiency<\/b><\/h3>\n<p>Instead of repeating tasks manually, UAT-8099 drops batch scripts to configure servers, enable RDP, and schedule persistent tasks. With these scripts, they can hijack a new server in minutes.<\/p>\n<h3><b>Cobalt Strike Disguised<\/b><\/h3>\n<p>They also deploy Cobalt Strike, a commercial red-teaming tool turned cybercriminal favorite. But rather than using it off the shelf, they hide it inside legitimate Windows processes through DLL sideloading. This keeps it invisible to many antivirus programs.<\/p>\n<h3><b>New Variants of BadIIS<\/b><\/h3>\n<p>Talos identified two new clusters of BadIIS malware this year. One barely registered on antivirus radars. The other contained debug strings written in simplified Chinese. Both showed evolving techniques: from hijacking entire websites to tailoring redirects with local languages for maximum credibility.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"why-this-should-alarm-seos\"><\/span><b>Why This Should Alarm SEOs<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>SEO professionals may not consider themselves part of the cybersecurity battlefield, but UAT-8099 proves otherwise.<\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Backlink Pollution:<\/b> Fraudulent backlinks weaken the value of legitimate <a href=\"https:\/\/www.stanventures.com\/blog\/seo-checklist\/\">SEO strategies<\/a>.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Cloaking Penalties:<\/b> Google\u2019s algorithms, especially <a href=\"https:\/\/spambrain.com\/\">SpamBrain<\/a>, penalize cloaking. If your compromised server is flagged, your rankings can disappear.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Loss of Trust:<\/b> A hacked site can be deindexed or flagged with browser warnings. Even loyal visitors may hesitate to return.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Collateral Damage:<\/b> Credentials stolen from one compromised server can be used to break into other connected systems.<\/li>\n<\/ul>\n<p>For SEOs and site owners, it is a direct strike at the credibility and sustainability of their work.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"what-you-can-do-right-now\"><\/span><b>What You Can Do Right Now<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you run IIS servers or work with clients who do, there are urgent steps to take:<\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Harden Uploads:<\/b> Never allow unrestricted file uploads. Validate file types.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Audit Users:<\/b> Look for hidden or suspicious accounts with admin access.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Scan Regularly:<\/b> Search for unfamiliar web shells or scripts.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Watch Backlinks:<\/b> Track sudden spikes in backlinks, especially irrelevant ones.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Secure RDP:<\/b> Disable unused RDP, require multi-factor authentication, and log activity.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Patch and Update:<\/b> Apply all security fixes promptly.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Educate Teams:<\/b> Make sure both SEO teams and IT admins understand how these threats overlap.<\/li>\n<\/ol>\n<h2><span class=\"ez-toc-section\" id=\"the-bigger-picture\"><\/span><b>The Bigger Picture<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Search engines thrive on trust. Users believe that a top result is reliable, relevant, and safe. UAT-8099 is attacking that very foundation. By turning respected servers into backlink farms and redirect machines, they erode faith in what people see on Google. This is an industrial-scale fraud operation that affects businesses, users, and the integrity of the internet itself.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"key-takeaways\"><\/span><b>Key Takeaways<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\">UAT-8099 is exploiting IIS servers for profit through SEO fraud.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">BadIIS malware manipulates crawlers and users differently.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Victims include universities, tech firms, and telecoms across continents.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">The group is also stealing credentials, not just planting backlinks.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Web admins and SEOs need stronger security collaboration to defend against these attacks.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>A Chinese-speaking cybercrime group, tracked as UAT-8099, is exploiting Microsoft IIS servers in India, Thailand, Vietnam, Canada, and Brazil. Cisco Talos researchers report that the attackers use custom malware, stolen credentials, and automation to conduct SEO fraud and harvest sensitive data from compromised systems. Cisco Talos identified the group in April 2025 after analyzing DNS [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":4703,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4700","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-seo"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>BadIIS: Chinese Hackers Hijacking IIS Servers for SEO Fraud - Stan Ventures<\/title>\n<meta name=\"description\" content=\"hinese-speaking group UAT-8099 exploits IIS servers for BadIIS SEO fraud and credential theft, endangering rankings and reputations worldwide.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"BadIIS: Chinese Hackers Hijacking IIS Servers for SEO Fraud - Stan Ventures\" \/>\n<meta property=\"og:description\" content=\"hinese-speaking group UAT-8099 exploits IIS servers for BadIIS SEO fraud and credential theft, endangering rankings and reputations worldwide.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/\" \/>\n<meta property=\"og:site_name\" content=\"Stan Ventures\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/StanVentures\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-03T14:17:16+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-31T13:51:32+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.stanventures.com\/news\/wp-content\/uploads\/2025\/10\/ChatGPT-Image-Oct-3-2025-01_58_18-PM.avif\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Zulekha\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@stanventures\" \/>\n<meta name=\"twitter:site\" content=\"@stanventures\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Zulekha\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\\\/\"},\"author\":{\"name\":\"Zulekha\",\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/#\\\/schema\\\/person\\\/fa7eddd27331b508c39dfd5ec581c0d1\"},\"headline\":\"BadIIS: Chinese Hackers Hijacking IIS Servers for SEO Fraud\",\"datePublished\":\"2025-10-03T14:17:16+00:00\",\"dateModified\":\"2025-10-31T13:51:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\\\/\"},\"wordCount\":1048,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/ChatGPT-Image-Oct-3-2025-01_58_18-PM.avif\",\"articleSection\":[\"SEO\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.stanventures.com\\\/news\\\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\\\/\",\"url\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\\\/\",\"name\":\"BadIIS: Chinese Hackers Hijacking IIS Servers for SEO Fraud - Stan Ventures\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/ChatGPT-Image-Oct-3-2025-01_58_18-PM.avif\",\"datePublished\":\"2025-10-03T14:17:16+00:00\",\"dateModified\":\"2025-10-31T13:51:32+00:00\",\"description\":\"hinese-speaking group UAT-8099 exploits IIS servers for BadIIS SEO fraud and credential theft, endangering rankings and reputations worldwide.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.stanventures.com\\\/news\\\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/ChatGPT-Image-Oct-3-2025-01_58_18-PM.avif\",\"contentUrl\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/ChatGPT-Image-Oct-3-2025-01_58_18-PM.avif\",\"width\":1536,\"height\":1024,\"caption\":\"BadIIS: Chinese Hackers Hijacking IIS Servers for SEO Fraud\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"BadIIS: Chinese Hackers Hijacking IIS Servers for SEO Fraud\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/#website\",\"url\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/\",\"name\":\"Stan Ventures\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/#organization\",\"name\":\"Stan Ventures\",\"url\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/wp-content\\\/uploads\\\/2024\\\/06\\\/Stan-Ventures.webp\",\"contentUrl\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/wp-content\\\/uploads\\\/2024\\\/06\\\/Stan-Ventures.webp\",\"width\":2001,\"height\":801,\"caption\":\"Stan Ventures\"},\"image\":{\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/StanVentures\\\/\",\"https:\\\/\\\/x.com\\\/stanventures\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/#\\\/schema\\\/person\\\/fa7eddd27331b508c39dfd5ec581c0d1\",\"name\":\"Zulekha\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5e254e5ddd7005852ee1623919a9ab39bced859841448a57960e7f8b855fdd52?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5e254e5ddd7005852ee1623919a9ab39bced859841448a57960e7f8b855fdd52?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5e254e5ddd7005852ee1623919a9ab39bced859841448a57960e7f8b855fdd52?s=96&d=mm&r=g\",\"caption\":\"Zulekha\"},\"description\":\"Zulekha is an emerging leader in the content marketing industry from India. She began her career in 2019 as a freelancer and, with over five years of experience, has made a significant impact in content writing. Recognized for her innovative approaches, deep knowledge of SEO, and exceptional storytelling skills, she continues to set new standards in the field. Her keen interest in news and current events, which started during an internship with The New Indian Express, further enriches her content. As an author and continuous learner, she has transformed numerous websites and digital marketing companies with customized content writing and marketing strategies.\",\"url\":\"https:\\\/\\\/www.stanventures.com\\\/news\\\/author\\\/zulekha871_4\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"BadIIS: Chinese Hackers Hijacking IIS Servers for SEO Fraud - Stan Ventures","description":"hinese-speaking group UAT-8099 exploits IIS servers for BadIIS SEO fraud and credential theft, endangering rankings and reputations worldwide.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/","og_locale":"en_US","og_type":"article","og_title":"BadIIS: Chinese Hackers Hijacking IIS Servers for SEO Fraud - Stan Ventures","og_description":"hinese-speaking group UAT-8099 exploits IIS servers for BadIIS SEO fraud and credential theft, endangering rankings and reputations worldwide.","og_url":"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/","og_site_name":"Stan Ventures","article_publisher":"https:\/\/www.facebook.com\/StanVentures\/","article_published_time":"2025-10-03T14:17:16+00:00","article_modified_time":"2025-10-31T13:51:32+00:00","og_image":[{"width":1536,"height":1024,"url":"https:\/\/www.stanventures.com\/news\/wp-content\/uploads\/2025\/10\/ChatGPT-Image-Oct-3-2025-01_58_18-PM.avif","type":"image\/png"}],"author":"Zulekha","twitter_card":"summary_large_image","twitter_creator":"@stanventures","twitter_site":"@stanventures","twitter_misc":{"Written by":"Zulekha","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#article","isPartOf":{"@id":"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/"},"author":{"name":"Zulekha","@id":"https:\/\/www.stanventures.com\/news\/#\/schema\/person\/fa7eddd27331b508c39dfd5ec581c0d1"},"headline":"BadIIS: Chinese Hackers Hijacking IIS Servers for SEO Fraud","datePublished":"2025-10-03T14:17:16+00:00","dateModified":"2025-10-31T13:51:32+00:00","mainEntityOfPage":{"@id":"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/"},"wordCount":1048,"commentCount":0,"publisher":{"@id":"https:\/\/www.stanventures.com\/news\/#organization"},"image":{"@id":"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#primaryimage"},"thumbnailUrl":"https:\/\/www.stanventures.com\/news\/wp-content\/uploads\/2025\/10\/ChatGPT-Image-Oct-3-2025-01_58_18-PM.avif","articleSection":["SEO"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/","url":"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/","name":"BadIIS: Chinese Hackers Hijacking IIS Servers for SEO Fraud - Stan Ventures","isPartOf":{"@id":"https:\/\/www.stanventures.com\/news\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#primaryimage"},"image":{"@id":"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#primaryimage"},"thumbnailUrl":"https:\/\/www.stanventures.com\/news\/wp-content\/uploads\/2025\/10\/ChatGPT-Image-Oct-3-2025-01_58_18-PM.avif","datePublished":"2025-10-03T14:17:16+00:00","dateModified":"2025-10-31T13:51:32+00:00","description":"hinese-speaking group UAT-8099 exploits IIS servers for BadIIS SEO fraud and credential theft, endangering rankings and reputations worldwide.","breadcrumb":{"@id":"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#primaryimage","url":"https:\/\/www.stanventures.com\/news\/wp-content\/uploads\/2025\/10\/ChatGPT-Image-Oct-3-2025-01_58_18-PM.avif","contentUrl":"https:\/\/www.stanventures.com\/news\/wp-content\/uploads\/2025\/10\/ChatGPT-Image-Oct-3-2025-01_58_18-PM.avif","width":1536,"height":1024,"caption":"BadIIS: Chinese Hackers Hijacking IIS Servers for SEO Fraud"},{"@type":"BreadcrumbList","@id":"https:\/\/www.stanventures.com\/news\/badiis-chinese-hackers-hijacking-iis-servers-for-seo-fraud-4700\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.stanventures.com\/news\/"},{"@type":"ListItem","position":2,"name":"BadIIS: Chinese Hackers Hijacking IIS Servers for SEO Fraud"}]},{"@type":"WebSite","@id":"https:\/\/www.stanventures.com\/news\/#website","url":"https:\/\/www.stanventures.com\/news\/","name":"Stan Ventures","description":"","publisher":{"@id":"https:\/\/www.stanventures.com\/news\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.stanventures.com\/news\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.stanventures.com\/news\/#organization","name":"Stan Ventures","url":"https:\/\/www.stanventures.com\/news\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.stanventures.com\/news\/#\/schema\/logo\/image\/","url":"https:\/\/www.stanventures.com\/news\/wp-content\/uploads\/2024\/06\/Stan-Ventures.webp","contentUrl":"https:\/\/www.stanventures.com\/news\/wp-content\/uploads\/2024\/06\/Stan-Ventures.webp","width":2001,"height":801,"caption":"Stan Ventures"},"image":{"@id":"https:\/\/www.stanventures.com\/news\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/StanVentures\/","https:\/\/x.com\/stanventures"]},{"@type":"Person","@id":"https:\/\/www.stanventures.com\/news\/#\/schema\/person\/fa7eddd27331b508c39dfd5ec581c0d1","name":"Zulekha","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/5e254e5ddd7005852ee1623919a9ab39bced859841448a57960e7f8b855fdd52?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5e254e5ddd7005852ee1623919a9ab39bced859841448a57960e7f8b855fdd52?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5e254e5ddd7005852ee1623919a9ab39bced859841448a57960e7f8b855fdd52?s=96&d=mm&r=g","caption":"Zulekha"},"description":"Zulekha is an emerging leader in the content marketing industry from India. She began her career in 2019 as a freelancer and, with over five years of experience, has made a significant impact in content writing. Recognized for her innovative approaches, deep knowledge of SEO, and exceptional storytelling skills, she continues to set new standards in the field. Her keen interest in news and current events, which started during an internship with The New Indian Express, further enriches her content. As an author and continuous learner, she has transformed numerous websites and digital marketing companies with customized content writing and marketing strategies.","url":"https:\/\/www.stanventures.com\/news\/author\/zulekha871_4\/"}]}},"_links":{"self":[{"href":"https:\/\/www.stanventures.com\/news\/wp-json\/wp\/v2\/posts\/4700","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.stanventures.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.stanventures.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.stanventures.com\/news\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.stanventures.com\/news\/wp-json\/wp\/v2\/comments?post=4700"}],"version-history":[{"count":1,"href":"https:\/\/www.stanventures.com\/news\/wp-json\/wp\/v2\/posts\/4700\/revisions"}],"predecessor-version":[{"id":4704,"href":"https:\/\/www.stanventures.com\/news\/wp-json\/wp\/v2\/posts\/4700\/revisions\/4704"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.stanventures.com\/news\/wp-json\/wp\/v2\/media\/4703"}],"wp:attachment":[{"href":"https:\/\/www.stanventures.com\/news\/wp-json\/wp\/v2\/media?parent=4700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.stanventures.com\/news\/wp-json\/wp\/v2\/categories?post=4700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.stanventures.com\/news\/wp-json\/wp\/v2\/tags?post=4700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}