A new wave of sophisticated cyberattacks targeting vulnerable Internet Information Services (IIS) servers across Asia has been identified, with threat actors employing advanced malware, including tailored versions of BadIIS. The campaign, observed from late 2025 into early 2026, primarily impacts systems in Thailand and Vietnam, indicating a strategic regional focus. Attackers are exploiting unpatched IIS servers to deploy web shells, execute malicious PowerShell scripts, and ultimately establish persistent control using the BadIIS malware, which now features region-specific configurations.
The cyber campaign shows significant operational overlap with the previously documented WEBJACK operation. Shared indicators include common malware signatures, command and control (C2) infrastructure, and similar victim profiles. This indicates a potential connection or shared tooling among threat actors operating in the region. The attackers’ methodology involves leveraging web shells as an initial entry point, enabling remote command execution on compromised IIS servers. Following successful infiltration, they deploy PowerShell scripts to download and execute the GotoHTTP remote access tool, granting them enduring control over the infected systems.
BadIIS Malware Evolves with Region-Specific Targeting
Cisco Talos analysts detected the campaign after observing anomalous activity on multiple IIS deployments throughout South and Southeast Asia. A notable evolution in the BadIIS malware is the embedding of country codes directly within its source code. This has resulted in specialized versions for Vietnam, identified by “VN” tags, and Thailand, marked with “TH” designations. These customized variants incorporate region-specific file extensions, dynamic page configurations, and localized HTML templates designed to facilitate search engine optimization (SEO) fraud tailored to specific language preferences.
The observed targeting demonstrates a more refined approach compared to earlier iterations of the malware. Each customized BadIIS variant actively filters incoming web traffic based on the “Accept-Language” header. This allows the malware to verify the visitor’s geographical region before delivering malicious payloads. When search engine crawlers access compromised websites, they are often redirected to fraudulent gambling sites. In contrast, regular users may experience injected JavaScript that silently redirects their browsers to malicious destinations.
Persistence Mechanisms and Undetected Operations
Following the establishment of initial access, threat actors implement robust persistence mechanisms to maintain long-term control over compromised servers. A key tactic involves the creation of hidden user accounts. Initially, attackers used an account named “admin$.” However, as security products began to detect this pattern, they shifted to alternative names such as “mysql$,” “admin1$,” “admin2$,” and “power$.” These accounts are systematically granted administrative privileges.
These privileged accounts are then utilized to deploy updated versions of the BadIIS malware. The malware is placed in specific regional directories, such as “C:/Users/mssql$/Desktop/VN/” for Vietnam-centric operations and “C:/Users/mssql$/Desktop/newth/” for attacks targeting Thailand. Furthermore, the threat actors deploy a suite of anti-forensic tools to further obfuscate their activities and evade detection. These tools include Sharp4RemoveLog to erase Windows event logs, CnCrypt Protect to conceal malicious files, and OpenArk64 to terminate security processes at the kernel level.
The deployment of these anti-forensic tools is crucial for the attackers to ensure their operations remain undetected for extended periods, significantly increasing the difficulty of investigation and remediation. The continuous evolution of their tactics, techniques, and procedures (TTPs), with the introduction of region-customized malware and sophisticated evasion methods, highlights the persistent and adaptable nature of these threat actors.
The ongoing nature of these attacks suggests that defenders must remain vigilant and prioritize patching vulnerable IIS servers. The successful exploitation of these systems underscores the importance of robust vulnerability management and timely security updates. Organizations operating within the affected regions, or those with similar technological infrastructures, should increase their monitoring for suspicious activity and ensure their security postures are up-to-date to mitigate the risk of compromise.