Introduction
In November 2025, Elastic Security Labs observed an intrusion affecting a multinational organization based in Southeast Asia. During the analysis of this activity, our team observed various post-compromise techniques and tooling used to deploy BADIIS malware onto a Windows web server. These observations align with previous reporting from Cisco Talos and Trend Micro from last year.
This threat group has amassed more victims and is coordinating a large-scale SEO poisoning operation from countries across the globe. Our visibility into the campaign indicates a complex, geotargeted infrastructure designed to monetize compromised servers by redirecting users to a broad network of illicit websites such as online gambling platforms and cryptocurrency schemes.
Key takeaways
- Elastic Security Labs observes large-scale SEO poisoning campaigns targeting IIS servers with BADIIS malware globally, impacting over 1,800 Windows servers
- Compromised servers are monetized through a web of infrastructure used to target users with gambling advertisements and other illicit websites
- Victim infrastructure includes governments, various corporate organizations, and educational institutions from Australia, Bangladesh, Brazil, China, India, Japan, Korea, Lithuania, Nepal, and Vietnam
- This activity corresponds with the threat group, UAT-8099, identified by Cisco Talos last October, and is consistent with prior reporting from Trend Micro
Campaign Overview
REF4033 is a Chinese-speaking cybercrime group responsible for a massive, coordinated SEO poisoning campaign that has compromised more than 1,800 Windows web servers worldwide using a malicious IIS module called BADIIS.
The campaign operates through a two-phase process:
- First, it serves keyword-stuffed HTML to search engine crawlers to poison search results, and
- Next, it redirects victims to a sprawling "vice economy" of illicit gambling platforms, pornography, and sophisticated cryptocurrency phishing sites, such as a fraudulent clone of the Upbit exchange.
By deploying the BADIIS malware, a malicious IIS module that integrates directly into a web server's request processing pipeline, the group hijacks the web servers for legitimate government, educational, and corporate domains. This high-reputation infrastructure is used to manipulate search engine rankings, thereby allowing attackers to intercept web traffic and facilitate widespread financial fraud.
Intrusion activity
In November 2025, Elastic Security Labs observed post-compromise activity from a Windows IIS server from an unknown attack vector. This threat actor moved quickly, progressing from initial access to IIS module deployment in less than 17 minutes. The initial enumeration was performed via a webshell running under the IIS worker process (w3wp.exe). The attacker conducted initial discovery and then created a new user account.
Shortly after the account was created and added to the Administrators group, Elastic Defend generated several alerts related to a newly created Windows service, WalletServiceInfo. The service loaded an unsigned ServiceDLL (C:\ProgramData\Microsoft\Windows\Ringtones\CbsMsgApi.dll) and subsequently executed direct syscalls from the module.
Next, we saw the threat actor harden their access by using a program called D-Shield Firewall. This software provides additional security features for IIS servers, including preventive protections and capabilities to add network restrictions. To proceed with the investigation, we used the observed imphash (1e4b23eee1b96b0cc705da1e7fb9e2f3) of the loader (C:\ProgramData\Microsoft\Windows\Ringtones\CbsMsgApi.exe) to obtain a loader sample from VirusTotal for our analysis.
To collect a sample of the malicious DLL used by this loader, we performed a VirusTotal search on the name (CbsMsgApi.dll). We found 7 samples submitted using the same filename. The group behind this appears to have been using a similar codebase since September 2024. Most of these samples employ VMProtect, a commercial code-obfuscation framework, to hinder static and dynamic analysis. Fortunately, we used an older, non-protected sample to gain additional insight into this attack chain.
Code analysis - CbsMsgApi.exe
The group employs an attack workflow that requires several files staged by the attacker to deploy the malicious IIS module. The execution chain begins with the PE executable, CbsMsgApi.exe. This file contains Chinese Simplified strings, including the PDB string (C:\Users\Administrator\Desktop\替换配置文件\w3wpservice-svchost\x64\Release\CbsMsgApi.pdb).
After launch, this program creates a Windows service, WalletServiceinfo, which configures a ServiceDLL (CbsMsgApi.dll) that runs under svchost.exe, similar to this persistence technique.
This newly created service focuses on stealth and anti-tampering by modifying the security descriptor of the service with the following command-line:
sc sdset "WalletServiceInfo" "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"Code analysis - CbsMsgApi.dll
The main component of this attack sequence is the ServiceDLL (CbsMsgApi.dll). The malicious DLL stages the BADIIS IIS native modules and alters the IIS configuration to load them into the request pipeline of the DefaultAppPool.
During this attack, the threat actor stages three files masquerading within the System32\drivers folder:
C:\Windows\System32\drivers\WUDFPfprot.sysC:\Windows\System32\drivers\WppRecorderpo.sysC:\Windows\System32\drivers\WppRecorderrt.sys
Two of these files (WppRecorderrt.sys, WppRecorderpo.sys) represent the malicious 32-bit / 64-bit BADIIS modules. The other file (WUDFPfprot.sys) represents configuration elements that will be injected into the IIS’s existing configuration. Below is an example configuration used during our analysis. Of note is the module name WsmRes64 (more information on this DLL is detailed in the IIS Modules Analysis (WsmRes32.dll / WsmRes64.dll) section below):
<globalModules>
<add name="WsmRes64" image="C:\Windows\Microsoft.NET\Framework\WsmRes64.dll" preCondition="bitness64" />
</globalModules>
<modules>
<add name="WsmRes64" preCondition="bitness64" />
</modules>The malware uses the CopyFileA function to move the contents from the masqueraded files into the .NET directory (C:\Windows\Microsoft.NET\Framework).
Next, the malware parses the DefaultAppPool.config file, examining each node to update the <globalModules> and <modules> nodes. The module will inject configuration content from the previously masqueraded file (WUDFPfprot.sys), updating the IIS configuration via a series of append operations.
Below is an example of the newly added global module entry that references the BADIIS DLL.
Upon successful execution, the BADIIS module is installed on the IIS server and becomes visible as a loaded module in the w3wp.exe worker process.
IIS Modules Analysis (WsmRes32.dll / WsmRes64.dll)
The following section will describe the functionality of BADIIS modules. These modules facilitate the conditional injection or redirection of malicious SEO content based on criteria such as the User-Agent or Referer header value. This technique ensures that malicious content remains hidden during normal use, thereby allowing the modules to remain undetected for as long as possible.
Upon initialization, the module downloads content from URLs defined in its configuration. These URLs are stored in an encrypted format and decrypted using the SM4 algorithm (a Chinese national standard block cipher) in ECB mode with the key “1111111122222222”. In older samples, the AES-128 ECB algorithm was used instead.
Each URL in the configuration points to a static .txt file that contains a second-stage resource. The list below details these source files and their specific roles:
| Example configuration URL | File Name | Content Description |
|---|---|---|
hxxp://kr.gotz003[.]com/krfml/krfmlip.txt | *fmlip.txt | Contains a URL pointing to a fake CSS file, google.css, that lists subnets used for filtering requests. |
hxxp://kr.gotz003[.]com/krfml/krfmltz.txt | *fmltz.txt | Contains a link to the target URL used for user redirections. |
hxxp://kr.gotz003[.]com/krfml/krfmllj.txt | *fmllj.txt | Contains a link to the malicious SEO backlinks intended for injection. |
hxxp://kr.gotz003[.]com/krfml/krfmldz.txt | *fmldz.txt | Contains the link to the SEO content generator. |
These URLs point to region-specific files, prefixed with the corresponding country code. While the examples above focus on Korea (hxxp://kr.domain.com), equivalent files exist for other regions, such as Vietnam (VN), where filenames are prefixed with "vn" rather than "kr"(hxxp://vn.domain.com).
The BADIIS module registers within the request processing pipeline, positioning itself as both the first and the last handler. For each request, the module verifies specific properties and selects an injection or redirection strategy based on the results. We have three types of injection:
| Source | Injection Method | Description |
|---|---|---|
*fmltz.txt | Full page replacement | HTML loader with progress bar + auto-redirect + Google Analytics tracking |
*fmldz.txt | Full page replacement | Direct link to SEO content, built with index.php?domain=<host>&uri=<original_link> |
*fmllj.txt | Inline injection | SEO backlinks injected after <body> or <html> tag in existing response |
To distinguish between bot and human traffic, the module checks against the following list of Referers and User-Agents.
Referers: bing, google, naver, daum
User agents: bingbot, Googlebot, Yeti, Daum
The default injection strategy targets search engine crawlers accessing a legitimate page on the compromised site.
In this scenario, the SEO backlinks are retrieved from the secondary link and injected into the page to be crawled by search engine bots. The downloaded backlinks that are injected into the infected page primarily target other local pages within the domain, whereas the remainder point to pages on other infected domains. This is a key aspect of the link-farming strategy, which involves creating large networks of sites that link to one another and manipulate search rankings.
The local pages linked by the backlinks do not exist on the infected domain, so visiting them results in a 404 error. However, when the request is intercepted, the malware checks two conditions: whether the status code is not 200 or 3xx, and whether the browser's User-Agent matches a crawler bot. If so, it downloads content from an SEO page hosted on its infrastructure (via a link in the *fmldz.txt file from its configuration URL) and returns a 200 response code to the bot. This target URL is built using 'domain' and 'uri' parameters that contain the infected domain name and the resource the crawler originally attempted to access.
Finally, if a user requests a page that does not exist and arrives with a Referer header value listed by the malware, the page is replaced by a third type of content: a landing page with a loading bar. This page uses JavaScript to redirect the user to the link contained in the *fmltz.txt file, which is obtained via its configuration link.
Optionally, if enabled, the request is executed only when the User-Agent matches a mobile phone, ensuring the server targets mobile users exclusively.
The list of mobile User-Agents is listed below:
Devices: iPhone, iPad, iPod, iOS, Android, uc (UC Browser), BlackBerry, HUAWEI
If the option is enabled and the infected server's IP address matches the subnet list in the google.css file downloaded from the *fmlip.txt file, the server serves the standard SEO content instead of the landing/redirection page.
The landing page includes JavaScript code containing an analytics tag—either Google Analytics or Baidu Tongji, depending on the target region—to monitor redirections. While the exact reason for using server IP filtering to restrict traffic remains unclear, we speculate that it is linked to these analytics and implemented for SEO purposes.
We identified the following Google tags across the campaign:
G-2FK43E86ZMG-R0KHSLRZ7N
As well as a Baidu Tongji tag:
B59ff1638e92ab1127b7bc76c7922245
Campaign Analysis
Based on similarity in URL patterns (<country_code>fml__.txt, <country_code>fml/index.php), we discovered an older campaign dating back to mid-2023 that was using the following domains as the configuration server.
tz123[.]apptz789[.]app
tz123[.]app was disclosed in a Trend Micro BADIIS campaign summary IOC list, published in 2024 . Based on the first submission dates on VT for samples named ul_cache.dll and communicating with hxxp://tz789[.]app/brfmljs[.]txt, some are also submitted under the filename WsmRes64.dll. This naming convention is consistent with the BADIIS loader component analyzed in the prior section. The earliest sample we discovered on VT was first submitted on 2023-12-12.
For REF4033, the infrastructure is split between two primary configuration servers.
- Recent campaigns (
gotz003[.]com): Currently serves as the primary configuration hub. Further analysis has identified 5 active subdomains categorized by country codes:kr.gotz003[.]com(South Korea)vn.gotz003[.]com(Vietnam)cn.gotz003[.]com(China)cnse.gotz003[.]com(China)bd.gotz003[.]com(Bangladesh)
- Legacy infrastructure (
jbtz003[.]com): Used in older campaign iterations, though several subdomains remain operational: br.jbtz003[.]com(Brazil)vn.jbtz003[.]com(Vietnam)vnbtc.jbtz003[.]com(Vietnam)in.jbtz003[.]com(India)cn.jbtz003[.]com(China)jp.jbtz003[.]com(Japan)pk.jbtz003[.]com(Pakistan)
At its core, the recent campaign monetizes compromised servers by redirecting users to a vast network of illicit websites. The campaign is heavily invested in the vice economy, targeting Asian audiences, such as unregulated online casinos, pornography streaming, and explicit advertisements for prostitution services.
It also poses a direct financial threat. One example was a fraudulent cryptocurrency staking platform hosted at uupbit[.]top, impersonating Upbit, South Korea’s largest cryptocurrency exchange.
The campaign’s targeting logic largely mirrors the compromised infrastructure's geography, establishing a correlation between the server’s location and the user’s redirection target. For instance, compromised servers in China funnel traffic to local gambling sites, while those in South Korea redirect to the fraudulent Upbit phishing site. The exception to this pattern involved compromised infrastructure in Bangladesh, which the actors configured HTTP redirects to point to non-local, Vietnamese gambling sites.
We have observed several different redirection loading pages throughout the clusters. Below is an example of the user redirection template for a sample targeting VN victim infrastructure. This template uses a Google tag and is very similar to one of the templates described in Cisco Talos’ UAT-8099 research.
A more consistent template observed across the victim clusters is shown in the snippet below, particularly the progress bar logic. Since the sample targets CN victim infrastructure, Baidu Tongji is used for tracking victim redirection.
We discovered several clusters (some with overlaps) of compromised servers from URLs containing backlinks in the following list:
http://kr.gotz001[.]com/lunlian/index.phphttp://se.gotz001[.]com/lunlian/index.phphttps://cn404.gotz001[.]com/lunlian/index.phphttps://cnse.gotz001[.]com/lunlian/index.phphttps://cn.gotz001[.]com/lunlian/index.phphttps://cn.gotz001[.]com/lunlian/indexgov.phphttps://vn404.gotz001[.]com/lunlian/index.phphttps://vn.gotz001[.]com/lunlian/index.phphttp://bd.gotz001[.]com/lunlian/index.phphttp://vn.jbtz001[.]com/lunlian/index.phphttps://vnse.jbtz001[.]com/lunlian/index.phphttps://vnbtc.jbtz001[.]com/lunlian/index.phphttps://in.jbtz001[.]com/lunlian/index.phphttps://br.jbtz001[.]com/lunlian/index.phphttps://cn.jbtz001[.]com/lunlian/index.phphttps://jp.jbtz001[.]com/lunlian/index.phphttps://pk.jbtz001[.]com/lunlian/index.php
Within the scope of REF4033, more than 1800 servers were impacted globally, and the campaign demonstrates a clear geographic focus on the APAC region, with China and Vietnam accounting for approximately 82% of all observed compromised servers (46.1% and 35.8%, respectively). Secondary concentrations are observed in India (3.9%), Brazil (3.8%), and South Korea (3.4%), although these represent a minority of the overall campaign footprint. Notably, approximately 30% of compromised servers reside on major cloud platforms, including Amazon Web Services, Microsoft Azure, Alibaba Cloud, and Tencent Cloud. The remaining 70% of victims are distributed across regional telecommunications providers.
The victim profile spans diverse sectors, including government agencies, educational institutions, healthcare providers, e-commerce platforms, media outlets, and financial services, indicating large-scale opportunistic exploitation rather than targeted exploitation. Government and public administration systems represent approximately 8% of identified victims across at least 5 countries (.gov.cn, .gov.br, .gov.bd, .gov.vn, .gov.in, .leg.br).
REF4033 through MITRE ATT&CK
Elastic uses the MITRE ATT&CK framework to document common tactics, techniques, and procedures that threats use against enterprise networks.
Tactics
Tactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action.
Techniques
Techniques represent how an adversary achieves a tactical goal by performing an action.
- Exploit Public-Facing Application
- Server Software Component: IIS Components
- Create Account: Local Account
- Create or Modify System Process: Windows Service
- Hijack Execution Flow: Services Registry Permissions Weakness
- Obfuscated Files or Information: Software Packing
- Masquerading: Match Legitimate Name or Location
- System Information Discovery
Remediating REF4033
Prevention
- Suspicious Microsoft IIS Worker Descendant
- Potential Privilege Escalation via Token Impersonation
- Privilege Escalation via SeImpersonatePrivilege
- Direct Syscall from Unsigned Module
- Suspicious Windows Service DLL Creation
- Suspicious Svchost Registry Modification
- Security Account Manager (SAM) Registry Access
YARA
Elastic Security has created YARA rules to identify this activity.
Observations
The following observables were discussed in this research.
| Observable | Type | Name | Reference |
|---|---|---|---|
055bdcaa0b69a1e205c931547ef863531e9fdfdaac93aaea29fb701c7b468294 | SHA-256 | CbsMsgApi.exe | Service Installer |
2340f152e8cb4cc7d5d15f384517d756a098283aef239f8cbfe3d91f8722800a | SHA-256 | CbsMsgApi.dll | ServiceDLL |
c2ff48cfa38598ad514466673b506e377839d25d5dfb1c3d88908c231112d1b2 | SHA-256 | CbsMsgApi.dll | ServiceDLL |
7f2987e49211ff265378349ea648498042cd0817e131da41156d4eafee4310ca | SHA-256 | D_Safe_Manage.exe | D-Shield Firewall |
1b723a5f9725b607926e925d1797f7ec9664bb308c9602002345485e18085b72 | SHA-256 | WsmRes64.idx | 64-bit BADIIS module |
1f9e694cac70d089f549d7adf91513f0f7e1d4ef212979aad67a5aea10c6d016 | SHA-256 | WsmRes64.idx2.sc | 64-bit BADIIS module |
c5abe6936fe111bbded1757a90c934a9e18d849edd70e56a451c1547688ff96f | SHA-256 | WsmRes32.idx | 32-bit BADIIS module |
gotz003[.]com | domain-name | BADIIS config server (primary) | |
jbtz003[.]com | domain-name | BADIIS config server (legacy) | |
gotz001[.]com | domain-name | BADIIS SEO content and backlinks server (primary) | |
jbtz001[.]com | domain-name | BADIIS SEO content and backlinks server (primary) |
References
The following were referenced throughout the above research: