ChannelLife India - Industry insider news for technology resellers
India
International Women’s Day
380 opinions Read now

Guides

#
cloud services
#
cybersecurity
#
distributors
#
microsoft
#
partner programmes

Search

Compromised iis server dark code web to gambling crypto icons
#
Malware
#
Firewalls
#
Network Security

BADIIS malware hijacks IIS servers for covert SEO fraud

Fri, 13th Feb 2026
Author image
By Sean Mitchell, Publisher

Elastic Security Labs has detailed a campaign that compromises Windows IIS servers and turns them into covert link farms. The attackers manipulate search results to steer users to illicit gambling sites and cryptocurrency phishing pages.

Tracked internally as REF4033, the activity centres on BADIIS malware and has affected more than 1,800 servers worldwide. The compromised infrastructure sits behind legitimate websites and services, which are then folded into a broader network designed to boost selected destinations in search rankings.

The research indicates an Asia-Pacific focus and identifies Australia as a targeted region for victim infrastructure. Elastic reports that some local government and education servers have been hijacked and repurposed. It describes the intrusions as “silent” because the servers can appear normal to administrators while performing malicious functions in the background.

SEO poisoning

Black Hat SEO, also known as SEO poisoning, manipulates search engines to place malicious or dubious pages prominently for relevant searches. The technique can exploit weaknesses in how search engines discover and rank content, and often involves compromising trusted domains so attackers can piggyback on their reputation.

Elastic characterises this campaign as more organised and monetised than “SEO spam” implies. Instead of hosting malicious pages on throwaway domains, the actors compromise web servers and turn them into assets that feed a broader marketplace for traffic and referrals.

Victims are often identified through mass scanning and automated targeting. Elastic assesses that common targets include government agencies, healthcare organisations, and financial institutions-groups that often run long-lived web infrastructure and complex environments where compromises can be harder to spot quickly.

Hidden in plain sight

Elastic describes BADIIS as “context-aware,” changing what a site serves depending on who visits. Search engine crawlers such as Googlebot are shown malicious content, while ordinary visitors and system administrators see normal pages. This reduces the chance of manual discovery and helps poisoned pages surface in search results.

“Victims find these malicious websites, but security teams tend to miss them because Google search results are opaque. It's somewhat invisible, occurring automatically through web crawling,” said Devon Kerr, Elastic's Director of Security Research.

In Australia, compromised servers have been used to funnel users into what Elastic calls a “vice economy” of unregulated gambling and cryptocurrency phishing schemes. Examples include a fraudulent platform impersonating Upbit-an approach that typically aims at account takeover and theft of funds or crypto assets.

Advice for users

Kerr urged users not to treat search ranking as a trust signal. “Just because a site is the top result on Google doesn't mean it's safe. Hackers are spending thousands to buy that trust through SEO poisoning. If a site feels unknown or off, stay away,” he said.

He also warned of credential theft and financial loss from convincing but malicious pages. “The primary goal here is credential and financial theft. Never share personal or financial info on a site you weren't specifically looking for,” Kerr said.

Security teams face a different challenge because poisoned content may not appear during routine checks. Elastic recommends looking for signs an IIS server has been altered in ways not visible through standard monitoring or content inspection. Kerr said the malware uses techniques meant to evade common controls and alerting. “Look for the silent signals. This malware uses unsigned modules and direct syscalls to evade standard alerts and fly under the radar of unmonitored systems. If you aren't proactively hunting for these subtle behaviors, you're missing the breach,” he said.

Threat actors

Elastic links the activity to a threat group it calls UAT-8099. The scale suggests a repeatable process, including automated discovery of vulnerable servers and an operational workflow for maintaining link infrastructure across many compromised hosts.

Using compromised servers as intermediaries also complicates enforcement. Taking down a phishing page or gambling domain does not remove the underlying infrastructure that promotes it. As long as legitimate servers remain compromised, attackers can rotate destinations and continue manipulating discovery through search engines.

Elastic says the techniques reflect an effort to remain difficult to detect in production environments, including the use of unsigned components and low-level system interactions. Kerr said he is available to discuss how attackers are exploiting search engines as a distribution channel for fraud and credential theft.

Related stories
Tech Data & NetApp unveil AI Test Drive hub in India
Delinea buys StrongDM to boost AI-era identity security
HPE complete care service: Refocused for your AI advantage
Legora names New Zealand lead to drive legal AI use
MSPs warned as cyber criminals weaponise trusted access

Top stories

Alkira Connect partner programme targets AI-led growth
RecordPoint unveils MCP Server for governed AI data
Distributors emerge as digital force in cloud & AI
Radisys & AccelerComm extend satellite 5G IoT reach
Sahar Group selects Ramco for Black Hawk MRO digitisation