Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign

SUMMARY :

A Chinese-speaking threat actor conducted a large-scale SEO poisoning campaign dubbed 'Operation Rewrite' using BadIIS malware to manipulate search results. The attackers compromised legitimate websites and used malicious IIS modules to intercept web traffic and serve altered content. The campaign targeted East and Southeast Asia, particularly Vietnam. Multiple variants of BadIIS were discovered, including ASP.NET handlers and PHP scripts. The threat actor is linked to previously known groups like Group 9 and possibly DragonRank. Their toolkit allowed them to inject malicious content, redirect users, and exploit compromised servers for various malicious purposes.

OPENCTI LABELS :

dragonrank,group 9,badiis,seo poisoning,iis modules,chinese threat actor,web shells,operation rewrite


AI COMMENTARY :

1. Introduction to Operation Rewrite Operation Rewrite marks a significant escalation in SEO poisoning campaigns, orchestrated by a Chinese-speaking threat actor leveraging a sophisticated malware known as BadIIS. This campaign manipulated search engine results to redirect unsuspecting users to compromised sites, where malicious modules intercepted normal web traffic. By compromising legitimate web servers and injecting malicious IIS modules, the threat actor achieved widespread distribution of poisoned content, with a primary focus on East and Southeast Asian targets, notably Vietnam.

2. The Mechanics of SEO Poisoning The core strategy behind Operation Rewrite involved optimizing malicious web pages so they would rank highly in search results for popular queries. Victims searching for legitimate information were instead directed to attacker-controlled sites equipped with BadIIS modules. These modules acted as intermediaries, intercepting HTTP requests and serving altered content containing exploit kits, exploit code, and additional payloads. The attackers tailored search results to specific keywords, ensuring maximum click-through rates and stealthy distribution of their malicious toolkit.

3. Technical Anatomy of BadIIS BadIIS is a modular malware family designed to integrate seamlessly into Microsoft IIS environments. Researchers uncovered multiple variants, each employing distinct mechanisms such as ASP.NET handlers and PHP scripts. The ASP.NET variants hooked into the request pipeline, while the PHP scripts were deployed on misconfigured IIS servers running PHP applications. Both approaches enabled the threat actor to inject JavaScript redirects, malicious iframes, or drive-by download triggers, effectively turning legitimate web servers into conduits for further infection.

4. Web Shells and Persistent Access To maintain long-term control over compromised servers, the attacker deployed web shells alongside BadIIS modules. These web shells provided a command-and-control interface, allowing the threat actor to upload additional tools, exfiltrate data, and pivot to other network resources. The presence of custom web shells also suggests extensive reconnaissance and post-exploitation activities, enabling the adversary to adapt their payloads and expand their foothold within target environments.

5. Targeting East and Southeast Asia The geographic focus of Operation Rewrite was unmistakable: East and Southeast Asia. By tailoring content in regional languages and leveraging local search trends, the attacker optimized the campaign for markets like Vietnam. Domain names and web templates mimicked popular local news outlets and information portals, further increasing the campaign’s legitimacy in the eyes of regional users. This localized approach underlines the threat actor’s deep understanding of regional search behaviors and cultural nuances.

6. Attribution: Group 9 and DragonRank Links Analysis of infrastructure overlaps, malware code similarities, and previous campaign tactics point to at least one known group, dubbed Group 9, and possibly a nexus with DragonRank. Indicators include shared command-and-control domains, reuse of encryption routines, and identical web shell functions. While direct attribution remains challenging, the convergence of these Tactics, Techniques, and Procedures (TTPs) supports the hypothesis that these clusters of malicious actors may be collaborating or operating under a common strategic directive.

7. Impact and Response The operational scale of Operation Rewrite disrupted countless web properties and exposed thousands of end users to malicious payloads. Organizations in affected regions have reported increased incident response costs, data breaches, and reputational damage. In response, security teams have deployed updated intrusion detection rules, reinforced IIS hardening measures, and rolled out web application firewalls capable of detecting anomalous module operations and web shell activities. Collaborative threat intel sharing among regional CERTs has been critical in dismantling the campaign’s infrastructure.

8. Lessons Learned and Mitigation Strategies Operation Rewrite underscores the need for continuous monitoring of search result integrity and rapid response to SEO-based threats. Regular audits of IIS modules, strict validation of server-side components, and immediate removal of unauthorized web shells form the backbone of an effective defense. Security practitioners should also engage in proactive threat hunting, leveraging indicators from DragonRank and Group 9 campaigns to anticipate the evolution of BadIIS variants and other SEO poisoning tactics.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign