Top Highlights
- The UAT-8099 campaign exploits vulnerable IIS servers in Asia, deploying web shells and PowerShell scripts to gain remote access and deploy malicious tools like GotoHTTP and BadIIS variants.
- Attackers register suspicious, newly created or spoofed domains (e.g., mimicking Google), often with random characters, to facilitate phishing, malware distribution, and command-and-control activities.
- Numerous involved domains and IP addresses have been identified as already weaponized or connected to prior malicious campaigns, confirming ongoing infrastructure used for cyberattacks and malware dissemination.
Threat, Attack Techniques, and Targets
UAT-8099 is a cyber threat actor active since late 2025, mainly targeting vulnerable IIS servers in Asia, especially Thailand and Vietnam. They use web shells and PowerShell scripts to carry out attacks. These tools help them deploy the GotoHTTP tool, which allows remote access to compromised servers. The attacker also employs new BadIIS variants. These variants are specifically tailored for each region and come with customized features. They are hardcoded with target region details, making detection harder. Further analysis showed that the attacker communicates with specific domains and IP addresses. Some domain resolutions date back as far as 2017, indicating long-term activity. Most malicious domains are newly registered or mimic legitimate sites like Google. In addition, many IP addresses associated with these domains are categorized as malicious. The attacker also relies on email-connected domains, some of which have been involved in malware distribution campaigns. This shows a focus on exploiting web infrastructure and email accounts for their attacks.
Impact, Security Implications, and Remediation Guidance
The activities of UAT-8099 can cause serious security issues. Compromised IIS servers may serve as entry points for further malware attacks. The use of web shells and PowerShell scripts suggests that attackers can easily take control of affected systems. Long-standing domain resolutions and suspicious domain registrations suggest a persistent threat. Consequently, organizations using IIS servers in the targeted regions should be cautious. They may face data theft, malware spread, or service disruption if infected. To stay protected, it is recommended to consult security vendors or relevant authorities for specific remediation steps. These may include updates, patches, or monitoring practices. Since no detailed remediation guidance is provided here, obtaining advice from cybersecurity experts is crucial for effective response.
Stay Ahead with the Latest Tech Trends
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Discover archived knowledge and digital history on the Internet Archive.
ThreatIntel-V1
