Cybersecurity researchers have uncovered a new campaign that occurred between late 2025 and early 2026 and is attributed to UAT-8099, a threat actor with ties to China This article explores uat 8099 threat. . Vulnerable Internet Information Services (IIS) servers throughout Asia have been the target of the activity, which Cisco Talos found, with a particular emphasis on targets in Vietnam and Thailand.

As of right now, the campaign's scope is unknown. "UAT-8099 uses web shells and PowerShell to execute scripts and deploy the GotoHTTP tool, granting the threat actor remote access to vulnerable IIS servers," security researcher Joey Chen explained in a campaign analysis on Thursday.

In October 2025, the cybersecurity firm published UAT-8099, which described how the threat actor exploited IIS servers in India, Thailand, Vietnam, Canada, and Brazil to enable search engine optimization (SEO) fraud.

The BadIIS asdSearchEngine cluster has three different variants, according to Cisco Talos. The Exclusive multiple extensions variant checks the file path in the request and ignores it if it contains an extension on its exclusion list that could be resource-intensive or detract from the appearance of the website. The HTML template generation system in the load HTML templates variant allows for the dynamic creation of web content by either loading templates from disk or using embedded fallbacks and substituting random data, dates, and content derived from URLs for placeholders.

The dynamic page extension/directory index variant determines whether the requested path is a directory index or a dynamic page extension. According to Talos, "we assess that the threat actor, UAT-8099, implemented this feature to prioritize SEO content targeting while maintaining stealth," of the third variation.

The malware targets dynamic pages (like default.aspx and index.php) where these injections are most successful because SEO poisoning depends on inserting JavaScript links into pages that search engines crawl. Additionally, the malware avoids processing incompatible static files by limiting hooks to other specific file types, which stops the creation of suspicious server error logs." Additionally, there are indications that the threat actor is actively improving BadIIS for Linux.

Early in October 2025, an ELF binary artifact was uploaded to VirusTotal. It contained the same proxy, injector, and SEO fraud modes, but it only targeted crawlers from Google, Microsoft Bing, and Yahoo!