Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign

SUMMARY :

A Chinese-speaking threat actor group, tracked as CL-UNK-1037, has been conducting a large-scale SEO poisoning campaign called Operation Rewrite. The attackers use a malicious IIS module named BadIIS to intercept and alter web traffic on compromised servers, manipulating search engine results to redirect users to malicious sites. The campaign primarily targets East and Southeast Asia, with a focus on Vietnam. The attackers employ various tools including native IIS modules, ASP.NET handlers, and PHP scripts. The operation shows links to previously known threat groups like Group 9 and possibly DragonRank. The campaign demonstrates sophisticated techniques for search result manipulation and traffic redirection, posing significant risks to unsuspecting internet users.

OPENCTI LABELS :

seo poisoning,vietnam,badiis,iis module,dragonrank,chinese-speaking,web shells,group 9


AI COMMENTARY :

1. Overview of Operation Rewrite Operation Rewrite is a large-scale SEO poisoning campaign orchestrated by a Chinese-speaking actor group tracked as CL-UNK-1037. The operation leverages malicious modifications to web servers to manipulate search engine results and redirect unsuspecting users to harmful domains. This campaign has been running for several months, showing advanced planning and operational security by the threat actors. By crafting seemingly legitimate search engine optimization tactics, the attackers insert poisoned content into search results that lure victims with relevant keywords and pages. Each manipulated search link promises authentic information, but instead routes users through malicious landing pages designed to harvest credentials or distribute further malware.

2. The BadIIS Module At the core of Operation Rewrite lies BadIIS, a custom IIS module designed to intercept and alter HTTP traffic on compromised servers. Once installed, this malicious module intercepts inbound requests, rewrites URLs, and injects malicious payloads or redirects to attacker-controlled domains. BadIIS operates transparently, making detection difficult without deep inspection of the IIS configuration and module files. The module is written to blend seamlessly with native IIS features and can be activated or deactivated by the attacker at will. This stealthy integration allows the adversaries to maintain access while avoiding standard security tools that monitor for unauthorized network behavior.

3. Attack Techniques and Tools The operators of Operation Rewrite make use of a diverse toolkit to achieve their goals. In addition to the BadIIS module, they deploy ASP.NET handlers and custom PHP scripts to further manipulate web content. Web shells are used as persistence mechanisms, granting attackers remote command execution and file upload capabilities. The blend of Microsoft-based modules and cross-platform scripts indicates a flexible approach that adapts to the target environment. By leveraging SEO poisoning combined with server-side compromise, the group can funnel legitimate traffic through malicious infrastructure without raising immediate alarms. Search engines continue to index affected pages, allowing the operation to maintain or even increase its reach over time.

4. Targeting and Geography Operation Rewrite has a pronounced focus on East and Southeast Asia, with Vietnam experiencing the highest concentration of compromised web servers. The selection of this region appears deliberate: high internet penetration rates combined with rapidly growing digital economies make the area fertile ground for SEO-based attacks. The actors tailor their poisoned content to Vietnamese-language search queries and local topics, increasing the likelihood of successful redirection. Nevertheless, collateral effect on surrounding countries has been observed, as regional search behavior and shared hosting infrastructure allow the poisoning to spread beyond Vietnam’s borders.

5. Attribution and Threat Actors Activity clusters in Operation Rewrite show links to known campaigns attributable to Group 9 and potential overlap with DragonRank, another Chinese-speaking threat cluster. Shared tooling, coding conventions, and infrastructure reuse suggest that these operators may belong to a single consolidated team or a closely affiliated network. While direct attribution remains challenge due to the use of proxies and compromised servers as jump points, the linguistic patterns and targeting profile strongly indicate a Chinese-speaking actor behind the operation.

6. Impact and Risks The sophistication of the BadIIS module and associated SEO poisoning tactics exposes internet users to phishing, credential theft, and malware delivery. Victims lured to malicious landing pages might inadvertently download additional payloads or disclose sensitive information such as login credentials or financial data. Organizations hosting compromised servers face reputational damage, loss of customer trust, and potential data breaches. The operation’s evasive nature and ability to blend with legitimate traffic make it a persistent threat to global web infrastructure.

7. Detection and Mitigation Detecting Operation Rewrite requires careful monitoring of web server modules, unusual URL rewrite rules, and unexpected HTTP redirects. Security teams should audit IIS configurations for unauthorized modules like BadIIS and deploy web application firewalls capable of intercepting and flagging anomalous traffic patterns. Regular vulnerability assessments, timely patching of server software, and strict access controls can reduce the risk of initial compromise. In addition, organizations can collaborate with search engine providers to remove poisoned pages from indexing, thereby cutting off the primary distribution channel of the campaign.

8. Conclusion Operation Rewrite exemplifies the growing trend of SEO poisoning coupled with sophisticated server-side modules to execute large-scale attacks. The combination of BadIIS, web shells, and cross-platform scripting showcases the adaptability of modern threat groups. As long as search engines continue to be trusted sources of information, defenders must evolve detection and mitigation strategies to address these covert redirection campaigns. By understanding the methods of CL-UNK-1037 and related actors, defenders can better secure web infrastructure and protect end users from this evolving threat.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign