Chinese-Speaking Group Manipulates SEO with BadIIS

    Monday, February 10, 2025 In: Threat Research Print

    Date: 02/10/2025

    Severity: High

    Summary

    Our researchers identified an SEO manipulation campaign emphasizing the importance of organizations using Internet Information Services (IIS) to stay updated and patched to prevent exploitation by malware like BadIIS. The campaign appears financially motivated, as it redirects users to illegal gambling websites, indicating attackers deploy BadIIS for profit. It has already impacted countries in Asia, including India, Thailand, and Vietnam, but its reach could extend globally.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    chem-db.com

    vnfll22.keeploong.com

    se2.ggseocdn.com

    se2.ggseocdn2.com

    www.xxxx.vip

    js.targetedtrafficcrew.com

    all.targetedtrafficcrew.com

    ll.olacityviet.com

    798.toptopkm88.com

    site.toptopkm88.com

    link.toptoplm88.com

    www.m2313.com

    br.zmdesf.cn

    br.ruicaisiwang.com

    tz123.app

    www.xiagao886.com

    js.cloudflare.cyou

    newth.googlecache.cc

    newthmap.googlecache.cc

    phpmap.googlecache.cc

    vn6789sky.com

    wailian.vn6789sky.com

    sitemap.bet277.vip

    sitemap1.bet277.vip

    brcknkblue.com

    wailian.brcknkblue.com

    eglotanygfa.vip

    wailian.eglotanygfa.vip

    yyds.tmpdrsh.com

    proxy.xxxx.com

    tdk.798love.com

    spider.xxxx.com

    jumpsexxx.com

    www.jumpiis8.com

    six2fc.com

    yitongmingde.com

    qiqiguaiguai2.xyz

    jsc.olacityviet.com

    jsc.bet277.vip

    lucky.668823.com

    bb.vdfskis888.com

    link.vdfskis888.com

    ldy.vdfskis888.com

    th.ntxx.cn

    topck008.com

    link.topck008.com

    googleseo.life

    bryyds.com

    dk8.zone

    dk8.land

    668th.com

    js.officefonts-clo.com

    aafd.tv

    vg9920.store

    vn.coronavg99.com

    coronavg99.xyz

    s995.vip

    zavinac.net

    wailian.zavinac.net

    89vq.me

    tdkgpt.yyds6686.com

    html.aafd.tv

    IP Address : 

    185.106.178.76

    38.207.248.230

    154.7.64.81

    154.7.64.81

    156.229.134.13

    45.120.81.62

    Hash : 

    8a49966eb90acc5c05a6bba523f1dd0d58127ab731d44c7304204fa02bf61186

bbf9d7dafba979ef9c1e8531a20d3bea1adcdbb628816ce8781d7eeb6292f265

33e5e5e773d1909004d4b38a0e4e3e97e46cbdb7b17f94b28fce2c9ad0a375d3

c732067b3d8763c248051366ab7beeae0d7fbe105884d4d3f8647e3427f36daf

59b416efff07208dc8b1c98a6f754e3abc14e55d71971ddc5581f6bc7ca45837

fe14c579308d356c64bd3be9365014de805a17abab8cb741e2817b8451a92f64

5d838c0dbf164b26c4c5dc20f96d3bf48a5f9fde88bbc1dd02c08007bb184d86

13f094d3eebe9d700360868006ac022a622ec606628adcc3782123d5092224d1

61913e0a38282a42b26aff578da17dab60ac0fbee819fa42db5497cc5cf55760

03bc0ddfa59cfa290c426396f1c5fff45bd2c3ef90152cafc7c662c075dfc7d8

f9017361349421728fc1ac1bc1549b3d23b35bd795f0a83be2e9e517bccaccdc

42906ac10d053eec10c05e2eeebcb06a7d6b307dc0d18083151dff3e0ac70022

a2a9dcdfc6f0aab577bc0f2750ff44050034c0f1c2f8b325a246f4dfe5f33219

bb9b0b20d239b2f5fe6da31fc2d13ec4ba6083238df68befd33d7521570d334e

08f965f640a3ec1c3aa9c31033455fad02550485d0d5b6fe33553d374775f18a

65967f471440449d2f1b615ff1338b8082b0481b617eda4d9f21a9f102b98859

c75a9a104e340473b72140127f3039a08f99a334887afc100d09cffa3c4c8e24

7b190719c3fb9c0bde074981adaf5b04356c9c48fa2fccdb334c4ae218f66fc0

2496bfe15e283affdfcd7f1de9134227671e2cddfb726b46829fa966abb9ac96

2ec893440e04de55bc6bbe4b1db76df532aa42d3140a15dc5365ef520a1d4247

9fbae4ed1de2b09af9a246a021f2a7fc8667492d459ac346eba6719509c41c5a

f1dcd2809a001a0d0ea3221939f7afd2ef9e5bf468709bd91abd70c902c42d45

7ccdd8966adf04ddd9b24dac0d1b8642968598a88ec3f5048b279843bffefb84

facfea68fe95fc81e3b6e04f79fbcba738c79b4de2d0238e4e5a8ba095a2516d

01577f5b0869154fb678bcf86eef50afceb5fc189c87b2085fe5fcdf74cd6ff0

a01ae86a356373f0d3e1b843f50243394308a96bd01978b33e4a91c0f0b19cce

a0bb95eafc9913633c7e27f0f1e6c81eb4c138a809c109ad3abae5fcc47c2cbd

a4906b40232726948f6a5357ad0ee9445512b422ae510d2ef08bd9cf516852bd

6edb1fd609c7e011cd42656af67baf5271d8212933a8c964604d138306b9565f

5b497b4205427198fc922c74cad8275b4256579f8bb5a1f1dbad7151630288a0

7321d599e777088356d7549e638b6b67fc43fc5c9f0c8846ee5aa7f47e35c2eb

ed3882a77cdc372f647e647b66979525a50054a580b43499ce5a97864d772730

24aafe0a2033e2e5ca231ebca0e3c56740754a97ca1f5062305e6b30222fc0ee

e09067e3e134e620b69117caf5bee54c1066b7259b74ddf2399afc64116690c9

e3197285c98965ca0522d3683c0d656e4ab1f8335ca322e1ae8c06b79dfd9b9c

1bb1187daff9610a0c142b48bc04d3e883344ca0eca8fe915d6a02fb3e7571ff

e927d6ea1fdc27c0ae9eb55254bbbd4f501f14ae02e499d7d20cdd83af479b20

df75b0b8ea1f75f0039c158c89e413ed6c4352309cc2cfa282afd1857676a88c

a35f810ed9ffd884d0599aa391d0043ad955e821f8144089116b15f01b8a932b

4091ddc3560fb60bd3ef071367fd833d67c3c6e3e81165aa3d93519b93959658

1cb60c7a121187978661b4bda84279f2324a5779b3f58bac11470a73fe544f6a

8fee015ae0e978e39af2cd1ca74b29202e702d296c110f3a7a90dfadce28d4a6

2e20ce7bc1e653737f05c910759fd2e420fe28f77f80a6d8e7c9346809e4dce7

12e4817abc69918b8556a4f18371c803db3d5191031cb56f835ec33cdb12f0d9

22cebb4f0fe6f4377e91b1e19204eff0f744d316b8c900377d8db4aa4f457801

cc67b50d746b23b9bc6fc12dde8c64d72c7f856521787b964598672d83525915

79b7fe6db452edd3077fb55906beea64c19087a19e5fb35211dd80975db74f9e

a68d83fd210b8ca21370a0f38da8fc0dd20b081e69beef911060924aa708a280

18939c40dd601550da9f07d8115f4b19bec422df4ada9358bac9bd9e9ac94e94

8ae43e6bd2cf0f8ced8f888226a4d6d06a7b03552e9af3d3cde35bb1d9724867

ffceed66dd9935c92ff7922bd5fdfde08e9a2ff78dd3a76dc65a200305779b9c

fec618c4f832d8a182fc1d3b9e58a0bff1a62241a1d17108e84ed1f0c4bb7845

6503770b34c53025793f1674af87d80a8f6ed44b5780490796012a2b771b8f84

e3c73f76f7b08ab6e223918a5b961201f60934ec95e5362529a42c1655395443

21a61777b0f725dd0dbdb2ecd0dd66e952012e94894e71c306059990c2afe377

3b8adf88b10e0c66d97b4909a17d4436a043ded5cf29c85ead22b58917e9ac7b

e8201b4a0f2619224e0720034dfc19a75f77582531bd98a2465a58bbf4a9f8c6

bf45c48b209e5004520b5d541e406c183bccb2fe81f3974c2c53be48017f74ca

02e98650e89146f0bddf29dd73165b9993d52f966d6194d375b6f0fcf737c38a

381dc36504e1b319fde9bbae0a580da9f239b8af8066638f9a4203e58dc16087

fbd3d1828592a2c1f154ebe2283643e24dee1db9f8989ce32e54b00d470a0096

521869f9ee6066c33fb1615cbcad66de157876bd08cec05597e4d3a0405efac8

eda7a7edc01392706a872a5a275940b4a4b9471dc562eb70128ee672872d1407

02dba6f34480eac1d27c83a4ff06e3ba03fc63fcf3067e0957375bfd182ed39b

8eb51f51eea27de8b976bdbcc84f4cf386256dfd9dc3702df8f839490699e173

89169f480810198a2cbb28fab15e0dfc8d1ee53981a9834cb84a84d077db3d17

6606d6e6424f7c25b922905095ba8cbff83357430bf1ef0ce0553a411fed1748

5d0b2015998a8a5a2a60ebdd2f3d6a398e533d198b9157c1558e6913330c24ba

e645ee394546db818350adfb2c55bffea78f405ac0ebb3fb1486e7d2f042c46f

0f7df7ac22957da6a793f641cda611c2c2a294355d4d19b29b6920853a012d98

b6844533bb887e870eb88fba88ed4d616ea8a9573b673faf927846c802f7817c

92e8076a59831156af5dc7058356cc0ad3dbd3c32cd84b08c3c8541ccc32d1c0

a383c13bbe949d0b6dff23e3243c7bbac1813d2ce9d99149cd5b984f051005d0

44bfb9f0e13dd72ed111b5b5600b80b305ab153a0ee2224957e76391b28ac037

3d331e6c5c1b22377b3b4aba9f71d65a10a77df6d8ee64c3a0d7d7de3d1f1565

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls 1 : 

    userdomainname like "jsc.olacityviet.com" or url like "jsc.olacityviet.com" or userdomainname like "ldy.vdfskis888.com" or url like "ldy.vdfskis888.com" or userdomainname like "vn.coronavg99.com" or url like "vn.coronavg99.com" or userdomainname like "brcknkblue.com" or url like "brcknkblue.com" or userdomainname like "dk8.zone" or url like "dk8.zone" or userdomainname like "tdkgpt.yyds6686.com" or url like "tdkgpt.yyds6686.com" or userdomainname like "www.jumpiis8.com" or url like "www.jumpiis8.com" or userdomainname like "jsc.bet277.vip" or url like "jsc.bet277.vip" or userdomainname like "wailian.vn6789sky.com" or url like "wailian.vn6789sky.com" or userdomainname like "link.toptoplm88.com" or url like "link.toptoplm88.com" or userdomainname like "yyds.tmpdrsh.com" or url like "yyds.tmpdrsh.com" or userdomainname like "coronavg99.xyz" or url like "coronavg99.xyz" or userdomainname like "89vq.me" or url like "89vq.me" or userdomainname like "newth.googlecache.cc" or url like "newth.googlecache.cc" or userdomainname like "sitemap1.bet277.vip" or url like "sitemap1.bet277.vip" or userdomainname like "yitongmingde.com" or url like "yitongmingde.com" or userdomainname like "www.xiagao886.com" or url like "www.xiagao886.com" or userdomainname like "all.targetedtrafficcrew.com" or url like "all.targetedtrafficcrew.com" or userdomainname like "br.zmdesf.cn" or url like "br.zmdesf.cn" or userdomainname like "proxy.xxxx.com" or url like "proxy.xxxx.com" or userdomainname like "lucky.668823.com" or url like "lucky.668823.com" or userdomainname like "js.cloudflare.cyou" or url like "js.cloudflare.cyou" or userdomainname like "wailian.eglotanygfa.vip" or url like "wailian.eglotanygfa.vip" or userdomainname like "html.aafd.tv" or url like "html.aafd.tv" or userdomainname like "jumpsexxx.com" or url like "jumpsexxx.com" or userdomainname like "six2fc.com" or url like "six2fc.com" or userdomainname like "link.topck008.com" or url like "link.topck008.com" or userdomainname like "vnfll22.keeploong.com" or url like "vnfll22.keeploong.com" or userdomainname like "bb.vdfskis888.com" or url like "bb.vdfskis888.com" or userdomainname like "topck008.com" or url like "topck008.com" or userdomainname like "668th.com" or url like "668th.com" or userdomainname like "se2.ggseocdn.com" or url like "se2.ggseocdn.com" or userdomainname like "js.officefonts-clo.com" or url like "js.officefonts-clo.com" or userdomainname like "newthmap.googlecache.cc" or url like "newthmap.googlecache.cc" or userdomainname like "eglotanygfa.vip" or url like "eglotanygfa.vip" or userdomainname like "ll.olacityviet.com" or url like "ll.olacityviet.com"

    Domains\Urls 2 :

    userdomainname like "chem-db.com" or url like "chem-db.com" or userdomainname like "se2.ggseocdn2.com" or url like "se2.ggseocdn2.com" or userdomainname like "www.xxxx.vip" or url like "www.xxxx.vip" or userdomainname like "js.targetedtrafficcrew.com" or url like "js.targetedtrafficcrew.com" or userdomainname like "798.toptopkm88.com" or url like "798.toptopkm88.com" or userdomainname like "site.toptopkm88.com" or url like "site.toptopkm88.com" or userdomainname like "www.m2313.com" or url like "www.m2313.com" or userdomainname like "br.ruicaisiwang.com" or url like "br.ruicaisiwang.com" or userdomainname like "tz123.app" or url like "tz123.app" or userdomainname like "phpmap.googlecache.cc" or url like "phpmap.googlecache.cc" or userdomainname like "vn6789sky.com" or url like "vn6789sky.com" or userdomainname like "sitemap.bet277.vip" or url like "sitemap.bet277.vip" or userdomainname like "wailian.brcknkblue.com" or url like "wailian.brcknkblue.com" or userdomainname like "tdk.798love.com" or url like "tdk.798love.com" or userdomainname like "spider.xxxx.com" or url like "spider.xxxx.com" or userdomainname like "qiqiguaiguai2.xyz" or url like "qiqiguaiguai2.xyz" or userdomainname like "link.vdfskis888.com" or url like "link.vdfskis888.com" or userdomainname like "th.ntxx.cn" or url like "th.ntxx.cn" or userdomainname like "googleseo.life" or url like "googleseo.life" or userdomainname like "bryyds.com" or url like "bryyds.com" or userdomainname like "dk8.land" or url like "dk8.land" or userdomainname like "vg9920.store" or url like "vg9920.store" or userdomainname like "s995.vip" or url like "s995.vip" or userdomainname like "zavinac.net" or url like "zavinac.net" or userdomainname like "wailian.zavinac.net" or url like "wailian.zavinac.net"

    IP Address : 

    dstipaddress IN ("45.120.81.62","185.106.178.76","156.229.134.13","38.207.248.230","154.7.64.81") or ipaddress IN ("45.120.81.62","185.106.178.76","156.229.134.13","38.207.248.230","154.7.64.81") or publicipaddress IN ("45.120.81.62","185.106.178.76","156.229.134.13","38.207.248.230","154.7.64.81") or srcipaddress IN ("45.120.81.62","185.106.178.76","156.229.134.13","38.207.248.230","154.7.64.81")

    Hash : 

    sha256hash IN ("65967f471440449d2f1b615ff1338b8082b0481b617eda4d9f21a9f102b98859","a4906b40232726948f6a5357ad0ee9445512b422ae510d2ef08bd9cf516852bd","7ccdd8966adf04ddd9b24dac0d1b8642968598a88ec3f5048b279843bffefb84","92e8076a59831156af5dc7058356cc0ad3dbd3c32cd84b08c3c8541ccc32d1c0","6606d6e6424f7c25b922905095ba8cbff83357430bf1ef0ce0553a411fed1748","18939c40dd601550da9f07d8115f4b19bec422df4ada9358bac9bd9e9ac94e94","03bc0ddfa59cfa290c426396f1c5fff45bd2c3ef90152cafc7c662c075dfc7d8","24aafe0a2033e2e5ca231ebca0e3c56740754a97ca1f5062305e6b30222fc0ee","8a49966eb90acc5c05a6bba523f1dd0d58127ab731d44c7304204fa02bf61186","e927d6ea1fdc27c0ae9eb55254bbbd4f501f14ae02e499d7d20cdd83af479b20","8eb51f51eea27de8b976bdbcc84f4cf386256dfd9dc3702df8f839490699e173","8ae43e6bd2cf0f8ced8f888226a4d6d06a7b03552e9af3d3cde35bb1d9724867","0f7df7ac22957da6a793f641cda611c2c2a294355d4d19b29b6920853a012d98","a2a9dcdfc6f0aab577bc0f2750ff44050034c0f1c2f8b325a246f4dfe5f33219","2ec893440e04de55bc6bbe4b1db76df532aa42d3140a15dc5365ef520a1d4247","a01ae86a356373f0d3e1b843f50243394308a96bd01978b33e4a91c0f0b19cce","b6844533bb887e870eb88fba88ed4d616ea8a9573b673faf927846c802f7817c","33e5e5e773d1909004d4b38a0e4e3e97e46cbdb7b17f94b28fce2c9ad0a375d3","521869f9ee6066c33fb1615cbcad66de157876bd08cec05597e4d3a0405efac8","21a61777b0f725dd0dbdb2ecd0dd66e952012e94894e71c306059990c2afe377","02dba6f34480eac1d27c83a4ff06e3ba03fc63fcf3067e0957375bfd182ed39b","e645ee394546db818350adfb2c55bffea78f405ac0ebb3fb1486e7d2f042c46f","a35f810ed9ffd884d0599aa391d0043ad955e821f8144089116b15f01b8a932b","5d838c0dbf164b26c4c5dc20f96d3bf48a5f9fde88bbc1dd02c08007bb184d86","08f965f640a3ec1c3aa9c31033455fad02550485d0d5b6fe33553d374775f18a","a0bb95eafc9913633c7e27f0f1e6c81eb4c138a809c109ad3abae5fcc47c2cbd","4091ddc3560fb60bd3ef071367fd833d67c3c6e3e81165aa3d93519b93959658","6503770b34c53025793f1674af87d80a8f6ed44b5780490796012a2b771b8f84","bbf9d7dafba979ef9c1e8531a20d3bea1adcdbb628816ce8781d7eeb6292f265","fbd3d1828592a2c1f154ebe2283643e24dee1db9f8989ce32e54b00d470a0096","df75b0b8ea1f75f0039c158c89e413ed6c4352309cc2cfa282afd1857676a88c","12e4817abc69918b8556a4f18371c803db3d5191031cb56f835ec33cdb12f0d9","9fbae4ed1de2b09af9a246a021f2a7fc8667492d459ac346eba6719509c41c5a","fe14c579308d356c64bd3be9365014de805a17abab8cb741e2817b8451a92f64","c75a9a104e340473b72140127f3039a08f99a334887afc100d09cffa3c4c8e24","a68d83fd210b8ca21370a0f38da8fc0dd20b081e69beef911060924aa708a280","c732067b3d8763c248051366ab7beeae0d7fbe105884d4d3f8647e3427f36daf","6edb1fd609c7e011cd42656af67baf5271d8212933a8c964604d138306b9565f","ffceed66dd9935c92ff7922bd5fdfde08e9a2ff78dd3a76dc65a200305779b9c","e3c73f76f7b08ab6e223918a5b961201f60934ec95e5362529a42c1655395443","7321d599e777088356d7549e638b6b67fc43fc5c9f0c8846ee5aa7f47e35c2eb","3d331e6c5c1b22377b3b4aba9f71d65a10a77df6d8ee64c3a0d7d7de3d1f1565","2e20ce7bc1e653737f05c910759fd2e420fe28f77f80a6d8e7c9346809e4dce7","f9017361349421728fc1ac1bc1549b3d23b35bd795f0a83be2e9e517bccaccdc","381dc36504e1b319fde9bbae0a580da9f239b8af8066638f9a4203e58dc16087","7b190719c3fb9c0bde074981adaf5b04356c9c48fa2fccdb334c4ae218f66fc0","8fee015ae0e978e39af2cd1ca74b29202e702d296c110f3a7a90dfadce28d4a6","59b416efff07208dc8b1c98a6f754e3abc14e55d71971ddc5581f6bc7ca45837","42906ac10d053eec10c05e2eeebcb06a7d6b307dc0d18083151dff3e0ac70022","89169f480810198a2cbb28fab15e0dfc8d1ee53981a9834cb84a84d077db3d17","e09067e3e134e620b69117caf5bee54c1066b7259b74ddf2399afc64116690c9","f1dcd2809a001a0d0ea3221939f7afd2ef9e5bf468709bd91abd70c902c42d45","22cebb4f0fe6f4377e91b1e19204eff0f744d316b8c900377d8db4aa4f457801","3b8adf88b10e0c66d97b4909a17d4436a043ded5cf29c85ead22b58917e9ac7b","02e98650e89146f0bddf29dd73165b9993d52f966d6194d375b6f0fcf737c38a","ed3882a77cdc372f647e647b66979525a50054a580b43499ce5a97864d772730","13f094d3eebe9d700360868006ac022a622ec606628adcc3782123d5092224d1","61913e0a38282a42b26aff578da17dab60ac0fbee819fa42db5497cc5cf55760","bb9b0b20d239b2f5fe6da31fc2d13ec4ba6083238df68befd33d7521570d334e","2496bfe15e283affdfcd7f1de9134227671e2cddfb726b46829fa966abb9ac96","facfea68fe95fc81e3b6e04f79fbcba738c79b4de2d0238e4e5a8ba095a2516d","01577f5b0869154fb678bcf86eef50afceb5fc189c87b2085fe5fcdf74cd6ff0","5b497b4205427198fc922c74cad8275b4256579f8bb5a1f1dbad7151630288a0","e3197285c98965ca0522d3683c0d656e4ab1f8335ca322e1ae8c06b79dfd9b9c","1bb1187daff9610a0c142b48bc04d3e883344ca0eca8fe915d6a02fb3e7571ff","1cb60c7a121187978661b4bda84279f2324a5779b3f58bac11470a73fe544f6a","cc67b50d746b23b9bc6fc12dde8c64d72c7f856521787b964598672d83525915","79b7fe6db452edd3077fb55906beea64c19087a19e5fb35211dd80975db74f9e","fec618c4f832d8a182fc1d3b9e58a0bff1a62241a1d17108e84ed1f0c4bb7845","6503770b34c53025793f1674af87d80a8f6ed44b5780490796012a2b771b8f84","e8201b4a0f2619224e0720034dfc19a75f77582531bd98a2465a58bbf4a9f8c6","bf45c48b209e5004520b5d541e406c183bccb2fe81f3974c2c53be48017f74ca","eda7a7edc01392706a872a5a275940b4a4b9471dc562eb70128ee672872d1407","5d0b2015998a8a5a2a60ebdd2f3d6a398e533d198b9157c1558e6913330c24ba","a383c13bbe949d0b6dff23e3243c7bbac1813d2ce9d99149cd5b984f051005d0","44bfb9f0e13dd72ed111b5b5600b80b305ab153a0ee2224957e76391b28ac037")

    Reference:    

    https://www.trendmicro.com/en_us/research/25/b/chinese-speaking-group-manipulates-seo-with-badiis.html 


    Tags

    MalwareAsiaIndiaThailandVietnamFinancial ServicesGambling Websites

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.