TL;DR

Key Points

• Treat UAT-8099 and WEBJACK as one practical cluster for hunting and response, based on public overlap in hashes, C2, victims, and gambling redirects.

• Use Operation Rewrite (CL-UNK-1037), ESET Group 9/11, DragonRank, and GhostRedirector as similar tradecraft/tooling, not aliases for the same operator (no shared hashes/infra published so far).

• Focus on IIS SEO fraud with BadIIS-style behavior plus operator-choice fingerprints (module names/paths, VN/TH packaging, $-suffixed local accounts, high-signal remote-access tools) to distinguish clusters.

• Expect attackers to rotate from native modules to alternate IIS/HTTP implementations (ASP.NET handlers, managed modules, PHP controllers) while keeping the same SEO fraud objective.

• action: Merge UAT-8099 and WEBJACK IOCs/TTPs/module names into a single ruleset and hunt package so detections and playbooks don’t fragment by vendor label.

• action: Baseline IIS native modules and alert on new registrations, fashttp/fasthttp/cgihttp/iis32/iis64 DLLs, and staging paths like Desktop\VN, Desktop\newth, Public\Videos.

• action: Correlate $-suffixed local accounts and SoftEther/EasyTier/FRP/GoToHTTP execution on web servers with IIS module drift.

• action: Add HTTP differential-response probes (User-Agent/Referer/Accept-Language) to catch cloaking and Thai/Vietnam locale–gated SEO fraud early.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!

Like this? Forward this to a friend!

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

The story in 60 seconds

This product reconciles vendor views of IIS SEO fraud driven by BadIIS-style behavior, showing that WithSecure’s WEBJACK very likely tracks the same operational cluster as Talos’ UAT-8099, based on shared hashes, infrastructure, victims, and redirect targets. That gives defenders a single, richer hunt surface and ruleset, instead of duplicating work per vendor name.

Neighbor reporting on Operation Rewrite (CL-UNK-1037), ESET Group 9/11, DragonRank, and GhostRedirector describes similar playbooks and tooling in the IIS SEO-fraud space, but without published shared infrastructure or hashes tying them directly to UAT-8099. The analysis stresses that ESET “Group 9/11” are malware-family buckets, not actor names, and that DragonRank and GhostRedirector should be treated as adjacent clusters unless you see their specific hallmarks (e.g., PlugX for DragonRank, GhostRedirector’s Rungan/Gamshen and domains).

Technically, UAT-8099/WEBJACK use malicious IIS components to intercept HTTP and selectively inject or redirect traffic to gambling/scam content. Operators then maintain access with $-suffixed local accounts, VPN/tunneling and remote-access tools, and web shell → PowerShell → VBScript chains, often delivered in Thai/Vietnam–coded packages and gated by locale. The guidance shows how to turn those concrete operator choices into a unified detection, hunting, and response profile—while avoiding over-attribution when other BadIIS-style activity appears.

High Impact, Quick Wins

• Enforce IIS module baselines and registration monitoring on internet-facing hosts → catch UAT-8099/WEBJACK-style persistence (fashttp/fasthttp/cgihttp/iis32/iis64 from Desktop\VN/Desktop\newth/Public\Videos) before SEO fraud appears in search results.
• Alert on $-suffixed local accounts and high-signal remote-access tools on web servers → break durable access and cut dwell time even if SEO fraud hasn’t been reported yet.
• Deploy synthetic HTTP probes that vary User-Agent, Referer, and Accept-Language → expose cloaking and Thai/Vietnam locale–gated SEO fraud before customers or partners see gambling/scam redirects.

Why it matters

SOC

• New IIS module registration or appcmd module changes on internet-facing hosts → likely native-module or alternate-component persistence attempt.
• Crawler-only content, search-referrer-only redirects, or Thai/Vietnam locale–gated behavior in web logs → strong indicator of IIS SEO fraud using BadIIS-style logic.
• Local accounts ending in $ (admin$, mysql$, admin1$, admin2$, power$) or re-enabled Guest on web servers → high-signal persistence linked to this cluster.

IR

• Preserve ApplicationHost.config, IIS module lists, and all DLLs under inetsrv\ plus staging folders like C:\Users\*\Desktop\VN\, C:\Users\*\Desktop\newth\, C:\Users\Public\Videos\ → needed to confirm UAT-8099/WEBJACK-style deployment.
• Collect SAM/SECURITY hives, account and group-change logs, and binaries/configs for SoftEther, EasyTier, FRP, GoToHTTP → maps higher-signal operator persistence and remote control than generic BadIIS behavior.
• If SEO poisoning exists but native modules look clean, acquire ASP.NET handlers, managed IIS modules, and PHP front-controller code → checks for Operation Rewrite–style non-native variants under the same objective.

SecOps

• Implement strict change control and allowlists for IIS modules and remote-access tools on web servers; block or gate anything outside approved catalogs.
• Enforce jump-host–only administration and “no unmanaged local admins” on IIS systems → reduces leverage of attacker-created accounts.
• Add HTTP differential-response checks (bot vs user, search-referrer vs direct, Thai/Vietnam vs other locales) into uptime/synthetic monitoring for high-value sites; pipe anomalies into the same UAT-8099/WEBJACK ruleset.

Strategic

• Treat this as a long-running IIS SEO-fraud and access ecosystem, not a one-off campaign; plan sustained web-stack–specific controls and telemetry.
• Use vendor labels (UAT-8099, WEBJACK, DragonRank, Group 9/11, GhostRedirector) as cluster handles, not actor IDs → keeps leadership reporting disciplined and defensible.
• Invest in Windows IIS and Linux web-server visibility and baselines so BadIIS-style and ELF-side variants are visible in the same program.

See it in your telemetry

Network

• HTTP(S) from web servers that:
  • Redirects users with search engine referrers to gambling/scam destinations but serves normal pages otherwise.
  • Serves different content to crawlers vs browsers, or poison pages only to bots.
  • Shows locale-gated patterns, especially Accept-Language set to Thai or Vietnamese triggering different content or redirects.
• Egress from IIS hosts to SEO redirector/staging domains and other suspicious C2 infrastructure tied to this ecosystem.
• Traffic patterns matching SoftEther VPN, EasyTier, FRP, or GoToHTTP originating from web-server IPs.

Endpoint

• Unsigned or newly written DLLs in %windir%\System32\inetsrv\ / %windir%\SysWOW64\inetsrv\ or in Desktop\VN\, Desktop\newth\, Public\Videos\ loaded by w3wp.exe.
• Process chains on IIS hosts: web shell → PowerShell → wscript/cscript → remote-access tool plus config file staging and exfiltration.
• Local account creation with $-suffixed names, enabling of previously disabled accounts (e.g., Guest), and group membership changes into Admins/Remote Desktop Users on servers with IIS roles—all feeding into the same UAT-8099/WEBJACK detection and hunt ruleset.

AlphaHunt Converge - Plug in your Flight Crew

Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.

Anticipate, Don’t Chase.

Plug it In!

DEEP RESEARCH: UAT-8099 correlations: who else is “the same actor,” and what’s just ecosystem overlap?

TL;DR

• Highest-probability cross-vendor equivalence: UAT-8099 strongly overlaps with WithSecure’s WEBJACK; Talos explicitly reports high-confidence correlations across hashes, C2, victimology, and promoted gambling sites.

• Most relevant “parallel cluster” (similar playbook, but not proven same): Unit 42’s CL-UNK-1037 (Operation Rewrite) sits in the same BadIIS/SEO-poisoning ecosystem and shows direct Group 9 infrastructure overlap, but it is not explicitly equated to UAT-8099.

• “Group 9 / Group 11” are not actor names: they’re ESET malware-family clusters for native IIS modules; use them as tooling taxonomy and “shape-of-malware” anchors, not attribution labels.

• DragonRank is adjacent, not identical: overlaps in tradecraft and sometimes targeting, but reporting explicitly treats these as distinct; some vendors note low-confidence linkage signals.

• Defender takeaway: treat this as an IIS-native-module SEO fraud ecosystem. Your best discrimination comes from persistence choices, module names/paths, and region-gating logic, not just “BadIIS present.”

“Same actor” equivalencies (most likely renames of the same activity)

This section focuses on probable same-activity clusters where the public evidence supports operational linkage beyond generic BadIIS similarity.

A. UAT-8099 ↔ WEBJACK (WithSecure) — High probability of the same activity set

• Why this is the strongest mapping

  • Talos’ 2026 reporting states their observed UAT-8099 campaign “significantly overlaps” WEBJACK with high-confidence correlations across:
    • Malware hashes
    • C2 infrastructure
    • Victimology
    • Promoted gambling sites
      (This is materially stronger than “similar TTPs” language.)

• What that means for defenders

  • If your incident resembles UAT-8099, you should assume WEBJACK TTPs, tooling, and IIS-module artifacts are in-scope, even if a given report uses a different name.
  • WEBJACK reporting gives additional high-signal pivots (e.g., specific module deployment names and SEO-fraud modes) that can accelerate triage and scoping.

• Probability statement (grounded)

  • High likelihood these are either the same operator(s) or two clusters with direct operational infrastructure/tooling overlap sufficient to treat as “effectively the same threat for hunting and response.”

“Close overlap” clusters (likely related ecosystem, may share dev/services/infrastructure patterns)

These are clusters you should watch as strategic neighbors of UAT-8099: they can look similar in telemetry and can share tooling patterns, but public reporting stops short of equating them to UAT-8099.

A. CL-UNK-1037 (Unit 42) / “Operation Rewrite” — Medium probability of direct relationship; high probability of ecosystem adjacency

• What Unit 42 says (relevant to correlation discipline)

  • Unit 42 tracks Operation Rewrite as CL-UNK-1037 and reports:
    • High-confidence Chinese-speaking operator assessment (linguistic + infra artifacts).
    • Moderate-confidence link to ESET “Group 9” based on both design and direct C2 domain-family overlap (examples include the 008php / yyphw / 300bt subdomain families).
    • Low-confidence connection to DragonRank due to similarity but no infrastructure overlap.

• Why this matters for UAT-8099 mapping

  • Talos’ UAT-8099 reporting highlights native IIS-module BadIIS behaviors and region focus, while Unit 42 demonstrates the same objective achieved via:
    • Native IIS modules
    • ASP.NET handlers
    • Managed .NET IIS modules
    • A PHP front-controller “rewrite” model
  • For defenders, this is the key strategic point: “BadIIS-style SEO poisoning” is an objective and technique family, not a single implementation.

• Probability statement (grounded)

  • Medium likelihood CL-UNK-1037 intersects UAT-8099 operationally (shared ecosystem and some overlapping design cues), but insufficient public proof to call it the same actor without additional infra/hash linkage.

B. ESET “Anatomy of Native IIS Malware” Groups (Group 9 / Group 11) — High overlap in malware lineage; not an actor alias

• How to use ESET Groups correctly

  • ESET’s “Groups 1–14” are native IIS malware family clusters, explicitly not guaranteed to represent distinct actors.
  • Group 9 is described as Proxy + SEO fraud.
  • Group 11 is described as Backdoor + Proxy + SEO fraud + Injector.

• How this maps to UAT-8099

  • Talos’ DragonRank writeup notes medium confidence association of observed BadIIS to “Group 9” in the Black Hat 2021 taxonomy.
  • Unit 42 also uses Group 9 as a strong overlap anchor (including direct infrastructure overlap).

• Probability statement (grounded)

  • High likelihood UAT-8099 tooling belongs to / descends from / is inspired by Group 9/11-style native IIS module patterns, but that does not mean UAT-8099 “is Group 9.”

C. DragonRank (Talos) — Low-to-medium overlap depending on what you observe

• What Talos says about DragonRank

  • DragonRank is presented as a distinct cluster that uses BadIIS and also PlugX, plus credential-harvesting utilities and lateral movement patterns.
  • Talos explicitly discusses BadIIS similarities to Group 9 and provides differentiators (crawler patterns and URL path differences).

• Why defenders often confuse DragonRank with UAT-8099

  • Same platform (IIS)
  • Same core technique family (native IIS module hijacking / BadIIS-like logic)
  • Similar monetization (SEO manipulation leading to scam/gambling traffic)

• Important discriminator

  • DragonRank reporting includes PlugX (and a public-facing service-provider business model); UAT-8099 reporting emphasizes web shells + PowerShell, VPN tooling, hidden local accounts, and regionalized BadIIS packaging (VN/TH) with WEBJACK overlap.
  • WithSecure also notes DragonRank as a prominent actor in this space but states attribution of WEBJACK to DragonRank is low and cites missing DragonRank “hallmarks.”

• Probability statement (grounded)

  • Low-to-medium likelihood your “UAT-8099-like” incident is DragonRank specifically, unless you also see DragonRank-linked artifacts (e.g., PlugX or other campaign-specific indicators described by Talos).

D. GhostRedirector (ESET) — Low probability of being the same; useful for strategic context

• Why it’s relevant

  • ESET’s GhostRedirector uses a malicious IIS module for SEO fraud (Gamshen) and targets overlapping geographies (e.g., Brazil/Thailand/Vietnam).
  • ESET explicitly states they do not have reason to link GhostRedirector to DragonRank, and treat it separately.

• Why it’s not a strong UAT-8099 correlate

  • Different malware set (Rungan + Gamshen).
  • Different infrastructure and operational patterns (e.g., staging from hxxps://868id[.]com in ESET reporting).

• Probability statement (grounded)

  • Low probability of being the same operator as UAT-8099 based on currently public reporting; high value as an example of how crowded the IIS SEO-fraud ecosystem is.

Defender-focused mapping table (equivalence vs overlap, with grounded probability)

Practical discriminators: how to avoid misattribution when everything “looks like BadIIS”

BadIIS/native IIS-module SEO fraud has a “common skeleton,” so attribution errors happen when defenders over-weight generic behaviors (User-Agent/Referer checks, Googlebot handling, redirects) and under-weight operator choices.

A. Persistence and access patterns (operator fingerprint)

• UAT-8099 reporting highlights persistence through hidden local accounts like admin$ and later mysql$ when admin$ is detected more frequently, plus variations (e.g., admin1$, admin2$, power$).
• UAT-8099 also emphasizes remote access tooling like SoftEther VPN and EasyTier and follow-on tooling to maintain foothold.
• If you see a heavy reliance on IIS-native module persistence only (with minimal host-level persistence), that can be common in the ecosystem and is less discriminating by itself.

B. “Regionalization” logic (campaign fingerprint)

• Talos describes UAT-8099’s newer variants hardcoding region focus and being deployed in region-coded archives (e.g., VN/TH packaging) and using region cues (e.g., Accept-Language Thai gating).
• If you see clear country/locale gating plus packaged “VN/TH”-style deployments, that’s a higher-signal indicator than generic crawler-vs-user branching.

C. Module naming and deployment conventions (fast triage pivots)

• WEBJACK reporting calls out common deployed module names like fashttp.dll / fasthttp.dll and cgihttp.dll.
• If your compromised host shows these names (or closely related naming conventions) and the behavior matches the WEBJACK mode patterns (page injection + redirector + crawler-only link injection), treat it as UAT-8099/WEBJACK-equivalent for response purposes.

D. Toolchain composition (ecosystem vs specific cluster)

• WEBJACK documents a toolset often seen in Chinese-speaking intrusion ecosystems (e.g., FScan, Sharp4RemoveLog, CnCrypt Protect, GoToHTTP, possible payload loaders).
• Talos UAT-8099 reporting similarly mentions these families of tools and also details a webshell → PowerShell → VBScript chain used to deploy GoToHTTP and exfil its configuration.
• DragonRank stands out in public reporting by including PlugX and a “service provider” posture around SEO manipulation.

Operational guidance: how to use this mapping in a defender workflow

A. Treat “UAT-8099 vs WEBJACK” as a single hunt package

• Use one consolidated hunt plan covering:
  • Unauthorized IIS module registrations (RegisterModule-based native modules)
  • Presence of common module filenames (fashttp/fasthttp, cgihttp, iis32/iis64 patterns)
  • Outbound connections to suspicious SEO/C2 infrastructure
  • Web logs showing crawler-only content delivery and search-referrer-only redirects
  • Host artifacts of post-compromise tooling (VPN tools, log clearing utilities, file hiding/redirection tools)

B. Use “CL-UNK-1037 / Group 9” as an expansion net, not an attribution claim

• If you confirm BadIIS/native IIS module hijacking:
  • Expand scoping to include non-native variants (ASP.NET handler, managed IIS module, PHP front-controller), because Unit 42 shows these are operationally viable alternatives for the same objective.
  • Expand detection beyond module install events to include webshell-based staging and web-accessible ZIP staging, which Unit 42 flags as an observed behavior pattern.

C. Keep DragonRank in the threat model, but require corroboration

• Only elevate “this is DragonRank” if you also see corroborating artifacts described in reporting (not just “IIS SEO fraud happened”).
• Otherwise, keep it categorized as “BadIIS SEO fraud ecosystem activity” with the UAT-8099/WEBJACK equivalence cluster as the primary hypothesis.

Recommendations, Actions, Next Steps, Forecasts, Suggested Pivots and Detection Ideas..