Cybersecurity experts have shed light on a Chinese-speaking hacker group named UAT-8099, which has been actively stealing sensitive digital information and manipulating online search results for profit. The group’s operations involve SEO fraud, data theft, and credential harvesting, which poses a serious threat to global digital security.

UAT-8099 primarily attacks Microsoft Internet Information Services (IIS) servers. These are platforms that host websites and online applications. So far, most confirmed infections have surfaced in India, Thailand, Vietnam, Canada, and Brazil. The hackers have focused on universities, telecom companies, and technology firms.

The campaign was first detected in April 2025, and early findings indicate that both Android and iPhone users may be indirectly affected through compromised websites and malicious redirects.

How the Attack Works

UAT-8099 infiltrates vulnerable IIS servers by exploiting unpatched security flaws, outdated software, or weak upload permissions. After it gains access, they install malicious web shells that allow them to explore system directories, export data, and execute commands remotely.

Once they gain deeper control, they escalate privileges, turning guest accounts into administrators and enabling Remote Desktop Protocol (RDP) access for unrestricted system control. This gives them the ability to modify configurations, steal files, and maintain long-term surveillance of the server.

UAT-8099 clearly plans ahead because in order to ensure that no competing hackers intrude, the group secures the compromised network and deploys Cobalt Strike, a post-exploitation toolkit used for persistence and remote command execution.

Advanced Evasion Techniques

What makes UAT-8099 particularly dangerous is its ability to remain undetected for months. The group uses VPN tools such as SoftEther, EasyTier, and Fast Reverse Proxy (FRP) to conceal their digital footprint. These tools help disguise their traffic and make it appear as legitimate network activity.

They also modify server logs and use encrypted communication channels to avoid triggering standard security alerts. By blending in with normal web traffic, they make detection by antivirus programs or firewalls extremely difficult.

The Role of BadIIS Malware

A major component of the attack is the BadIIS malware, which UAT-8099 deploys after establishing full access. BadIIS is a well-known but evolving malware family also associated with other Chinese operations such as DragonRank and Operation Rewrite. This malware forms the backbone of the group’s SEO manipulation scheme.

How SEO Fraud Generates Profit

Unlike typical hackers who steal money directly, UAT-8099 profits by deceiving search engines. By hijacking legitimate websites, the group secretly inserts fake backlinks to promote client websites, often linked to illegal gambling, counterfeit products, or scam advertising networks. UAT-8099 uses “traditional SEO tricks” combined with automation to boost site rankings. The malware activates only when Googlebot; Google’s indexing crawler, visits a page. This ensures that the manipulated content remains invisible to normal users, helping the hackers avoid detection for longer periods.

Although Google’s algorithm eventually penalizes fake backlinks, the group essentially uses the short-term surge in visibility to sell traffic or collect advertising revenue.

A Growing Global Threat

The rise of groups like UAT-8099 highlights how SEO-based cyberattacks are evolving. These operations mix financial motives with advanced technical deception, making them harder to identify and contain. Researchers believe dozens of servers around the world may already be infected, but the true scale remains unknown.

The concern extends beyond lost data. Such attacks erode public trust in legitimate websites and can lead to mass phishing campaigns, financial fraud, and data leaks. They also expose how vulnerable online infrastructure has become, especially as more organizations rely heavily on web servers and SEO for growth.

How Businesses Can Protect Themselves

Experts urge organizations to treat SEO and server security as interconnected priorities. Preventing attacks like those from UAT-8099 requires regular software updates, secure server configurations, and stronger authentication measures.

To strengthen server security, it’s crucial to patch IIS vulnerabilities promptly and restrict both file uploads and administrative access. Monitoring logs regularly for unusual traffic patterns helps detect potential intrusions early, while using endpoint protection tools with behavioral detection adds another layer of defense. Routine security audits and penetration testing should be conducted to uncover hidden weaknesses before attackers do. Equally important is educating staff about cyber hygiene, since even one compromised password or outdated plugin can expose an entire network to significant risk.

Conclusion: The Future of SEO and Cybersecurity

UAT-8099’s campaign serves as a stark reminder for the cybersecurity industry. As AI and automation tools become more accessible, hackers are combining them with SEO tactics to earn illicit profits faster and at scale. Governments and organizations must collaborate to track such groups and develop better early-warning systems.

Cybersecurity experts believe that the future of digital safety will depend on cross-border information sharing, real-time threat intelligence, and transparent security policies. As with any threat, awareness is always the first step, because defending against modern hackers requires one to understand how they think and operate.