UAT-8099 Exploits Vulnerable IIS Servers for SEO Fraud and Data Theft
Cisco Talos has disclosed that UAT-8099, a Chinese-speaking threat actor group, is exploiting unpatched Internet Information Services (IIS) servers to conduct large-scale SEO fraud and exfiltrate valuable data. Targeted organizations include universities, telecommunications providers, and technology firms. The group abuses IIS vulnerabilities that permit unrestricted file uploads. Their intrusion chain begins with reconnaissance and the deployment of open-source ASP.NET web shells for command execution and system discovery, followed by guest-to-administrator privilege escalation, which enables Remote Desktop Protocol (RDP) access. Once access is secured, UAT-8099 installs multiple persistence mechanisms, including SoftEther VPN, EasyTier decentralized VPN tools, and FRP reverse proxies, while also sideloading Cobalt Strike beacons disguised as legitimate WMI providers. Cisco Talos identified new BadIIS malware variants used in these intrusions, with clusters showing minimal antivirus detection and debug messages written in simplified Chinese, further tying the campaign to its operators. After persistence is established, UAT-8099 focuses on manipulating search engine rankings to drive fraudulent traffic to gambling and advertisement platforms. The BadIIS malware uses OnBeginRequest to check user-agent and referer values, serving fake backlinks to crawlers like Googlebot while injecting malicious JavaScript redirects for human users arriving from search engines. The OnSendResponse handler amplifies these tactics by delivering SEO-tailored content for crawlers before redirecting users who encounter error pages. Compromised servers also deliver mobile-specific payloads, including malicious APKs for Android and fake iOS app download pages, extending the group’s monetization strategy. Cisco Talos advises that organizations patch IIS servers immediately, restrict file uploads, enforce strong account policies, and adopt continuous monitoring, as neglecting these measures risks both operational disruption and large-scale credential theft through persistent SEO fraud campaigns.
Update: Confucius Hacker Group Deploys AnonDoor Backdoor Through Weaponized Documents and LNK Files
The Confucius APT group, long active in South Asia and believed to operate with state alignment, has evolved from simple document stealers to deploying the Python-based AnonDoor backdoor, reflecting a major escalation in both capability and persistence. Earlier campaigns in late 2024 relied on phishing emails containing weaponized PowerPoint slides that displayed fake “corrupted page” messages while executing embedded VBScript to fetch payloads from attacker infrastructure, ultimately using DLL side-loading and registry changes for persistence. The group has shifted to LNK-based attacks, crafting malicious shortcuts disguised as PDFs that execute PowerShell commands to download payloads and decoy documents. These payloads reintroduced WooperStealer, which is configured to exfiltrate a broad set of sensitive file types, including text, PDFs, archives, images, and email storage files. In August 2025, the group introduced AnonDoor, a Python-based backdoor that leverages Scoop to install a Python environment, hides itself in compiled [.]pyc files, and employs advanced reconnaissance techniques such as WMIC hardware UUID extraction, system fingerprinting, public IP lookups, and comprehensive disk enumeration to map victim systems. AnonDoor expands Confucius’ tradecraft by enabling execution of attacker-controlled commands, capturing screenshots, harvesting browser credentials, listing and exfiltrating files, and conducting directory traversal operations. Its communication with command-and-control servers utilizes structured packets with unique delimiters, designed to reduce detection, and operates on a timed interval to avoid behavioral monitoring. The malware is modular, supporting dynamic retrieval of additional Python modules to tailor post-compromise actions to intelligence objectives, making it adaptable for long-term espionage. FortiGuard Labs analysis shows that Confucius continues to focus heavily on Pakistan-based government and defense organizations, while implementing improved anti-analysis checks and obfuscation techniques to evade detection. This campaign highlights the group’s methodical shift toward more durable and flexible backdoors, underlining the growing importance of layered defenses, targeted detection rules, and region-specific intelligence monitoring to counter advanced persistent threats operating at this scale.
GhostSocks Malware-as-a-Service Converts Infected Devices into Residential Proxies
Researchers have found that GhostSocks, a Malware-as-a-Service offering first advertised in late 2023, has matured into a key enabler of cybercrime operations by transforming compromised Windows systems into SOCKS5 residential proxies. Marketed through Russian-speaking forums, GhostSocks offers a management panel that includes build creation, proxy assignment, and real-time monitoring, and has gained traction among both low-level fraud groups and advanced ransomware affiliates. Notably, leaked BlackBasta logs from February 2025 revealed its integration alongside Lumma Stealer to maintain access after credential theft, with automated installation provided through an official partnership. Despite disruptions to Lumma’s infrastructure, GhostSocks has maintained steady development, underscoring its resilience and growing role in the MaaS ecosystem. Its affordability further contributes to broad adoption in underground markets. From a technical perspective, GhostSocks is delivered as either a Go-based DLL or a standalone executable, obfuscated with the garble project to hinder detection. It decrypts configurations at runtime, cycling through hardcoded or temporary C2 endpoints until a connection is established. Afterward, it spawns a SOCKS5 tunnel using the go-socks5 and yamux libraries. Although it lacks persistence, its focus on proxy provisioning enables attackers to bypass fraud detection by routing activity through legitimate residential IP space. This has led to “double victimization,” where compromised users not only lose system control but also inadvertently participate in broader criminal operations. To mitigate risk, organizations should enforce outbound SOCKS5 traffic monitoring, block known GhostSocks infrastructure, and adopt segmentation strategies that reduce opportunities for proxy abuse. At the same time, individuals should avoid untrusted executables and maintain protections capable of detecting obfuscated Go binaries.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
