Dissecting UAT-8099: New Persistence Mechanisms and Regional Focus

    Friday, January 30, 2026 In: Threat Research Print

    Date: 01/30/2026

    Severity: High

    Summary

    UAT-8099 is an active threat actor targeting vulnerable Internet Information Services (IIS) servers across Asia, with a strong focus on Thailand and Vietnam from late 2025 to early 2026. The campaign shows significant overlap with the WEBJACK operation, sharing malware hashes, C2 infrastructure, and victimology. UAT-8099 deploys web shells, PowerShell, and tools like GotoHTTP for remote access, while introducing region-specific BadIIS variants that hardcode geographic targeting and custom persistence features. The emergence of a Linux ELF variant with proxying, injection, and SEO fraud capabilities highlights the group’s expanding tooling and adaptability.

    Indicators of Compromise (IOC) List

    URLs/Domains

    https://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/go.exe

    https://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/zcgo1.vbs

    http://go1.kmm5tn.ceye.io

    http://404.imxzq.com/tdks.php?domain=%s&path=%s

    http://tdk.hunanduodao.com/tdk.php?domain=%s&path=%s

    https://404.imxzq.com/tdks.php?domain=%s&path=%s

    https://404.jmfwy.com/tdks.php?domain=%s&path=%s

    https://799.cors5.vip/1018.php?domain=%s&path=%s

    https://fql.jmfwy.com/tdks.php?domain=%s&path=%s

    https://tdk.jmfwy.com/tdk.php?domain=%s&path=%s

    https://th.gtwql.com/1018.php?domain=%s&path=%s

    https://thov.hunanduodao.com/tdks.php?domain=%s&path=%s

    https://bxphp.westooo.com/?xhost=%s&url=%s&ua=Googlespider&f=bd

    https://bxphp.westooo.com/58z.js

    https://bxphp.westooo.com/u.php

    tdk.hunanduodao.com/jump/fql.js

    tdk.hunanduodao.com/jump/ov.js

    tdkfsdfa.cnmseo.com/jump/fql.js

    tdkfsdfa.cnmseo.com/jump/ll.js

    tz.jmfwy.com/jump/json.js

    tz.jmfwy.com/jump/mage.js

    tz.jmfwy.com/jump/tiger.js

    tz.ohtcm.com/jump/fql.js

    tz.ohtcm.com/jump/json.js

    tz.ohtcm.com/jump/ll.js

    tz.ohtcm.com/jump/ov.js

    tz.suucx.com/jump/ov.js

    google.sneaws.com

    w3c.sneaws.com

    Hash

    1ab98783a02ad9f127e776c435ef4e24a18ab93c4b4ee5ede722817d4b20771a

    1ece4d8603f5e28a7b0f6a8c83963a57cf23e5d2fadfc138419c3a051a75c93a

    2cc87bd2ae25a5119cb950618850eddeb578954fa780b125c1f51d234fb405e3

    4bc189af91779582a1d29cfe187aa233e7ba50d223261fb9fbe31df5b06dff96

    6be5c8882bc02cf4e86d2ab9d20aa3446b71dd12c73f9c6bf0faf9412d7d23ba

    9a2fd34e22c5f3d3d5fb96e3cd514dad7b03ed7bf53a87e7d8d9b73987d02ece

    11ea6aa2b31677f8a36627d4af709e70cff4a033b0975f63c19b28945e6226b7

    29ffb1d28f98582e81e78e6b2d5502da50c8ebdee0d40005a86b0dadece2923b

    56be91643dd8b86f347cc8d743c568f2d0169781ba999a2f708e503b59ecff76

    70d6bc89451e36889c045f30de22bc02e032788c8938baa0d5802e8f747c3e79

    91e1f4fc92f104ec8b29bb56df87f8e7d8b518c63997e2ea162d3f1cac3fcac1

    416ef6da8a27a99cbce6517d31857c8b8b55f02e9c8118510dc33814fb6f57be

    660ccb6dcfad97bfaddc667c61b1904e99a06eab981d44119092624d42912d68

    9458a75c1e24add9a48e0425e514a5f0cb46a826bff30ea7ea34e69099345f29

    265336511db98a4c40476455e2ae93aaf926abecd8f9b9d741f8d253abb80357

    a781581baf6e1e335f22c9ffbb2656a2d9c8e51f463e3a48068210425df1c205

    ab03a7caed279fc6411ec19386faff3b65be34c91c3f0550eaef84a663720d0d

    bcc393c1686a0f5d493041e98dcafe0098d952d5e93eb4d2ebdb63c0efd2de33

    c7a22f5c55ac1373a5964a6598da2a9afd8a61b9d729b9bf52a93c967a7f0eda

    cdf454173bac13266e0f7db5de386439f197e2c480e1cc303dd7e806484645da

    e84a16c8e25a4e40926cbb4cc210a09830298b6f99d532035f5136d05ffc008c

    e448557d26cf2917efded8e30c67db8094ce1f6db78801742988ea21f3429d7c

    5d320b60d2f40c200e81eaeb67a86a04782bff84582c73e726255dba2dcb821e

    99f2c4773560eb515cfcb0ad45cf8e47c46580ab19494463160f885e048ce830

    565502d2454e4b65d3bd810fccf4b429264562fefa5cfff24c905b76b3b860a6

    a34ea8fb565ac6f57eefc987c61159c1e6f1af6a8717ffb42f4b745db3bf9e31

    187e1417fd9d4f4a44e4f7b7172aef056e9d0ab5d7a7addf61c2cfa893f74fd1

    6b60b6df8a1a95f51ffe57255c05d26eb9e113857efac3b29d6ef080b8d414f3

    672ffdf1e9d4848015d29a68111266ef55fc6702dfe7b2053ce677882648dd5d

    ebeef831c52b7e930a6456caedf7849814b8d4def2bc0e70a0e7a357621ef6bc

    230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9

    48ec6530470b295db455bf2c72dc4fbd18672725f45821304f966d436b428865

    33d3ccf82279d94a8e8e772a0c4963d65a1f3576dbd6ed7b4ab8a0ee4869f97f

    d8c0ef6dbf7d4572f92d3a492f32061ab8f3dd46beb9ff5a0bf9bf550935458c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://404.imxzq.com/tdks.php?domain=%s&path=%s" or url like "https://404.imxzq.com/tdks.php?domain=%s&path=%s" or siteurl like "https://404.imxzq.com/tdks.php?domain=%s&path=%s" or domainname like "https://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/go.exe" or url like "https://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/go.exe" or siteurl like "https://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/go.exe" or domainname like "https://tdk.jmfwy.com/tdk.php?domain=%s&path=%s" or url like "https://tdk.jmfwy.com/tdk.php?domain=%s&path=%s" or siteurl like "https://tdk.jmfwy.com/tdk.php?domain=%s&path=%s" or domainname like "https://404.jmfwy.com/tdks.php?domain=%s&path=%s" or url like "https://404.jmfwy.com/tdks.php?domain=%s&path=%s" or siteurl like "https://404.jmfwy.com/tdks.php?domain=%s&path=%s" or domainname like "http://go1.kmm5tn.ceye.io" or url like "http://go1.kmm5tn.ceye.io" or siteurl like "http://go1.kmm5tn.ceye.io" or domainname like "https://bxphp.westooo.com/58z.js" or url like "https://bxphp.westooo.com/58z.js" or siteurl like "https://bxphp.westooo.com/58z.js" or domainname like "https://bxphp.westooo.com/u.php" or url like "https://bxphp.westooo.com/u.php" or siteurl like "https://bxphp.westooo.com/u.php" or domainname like "https://799.cors5.vip/1018.php?domain=%s&path=%s" or url like "https://799.cors5.vip/1018.php?domain=%s&path=%s" or siteurl like "https://799.cors5.vip/1018.php?domain=%s&path=%s" or domainname like "https://th.gtwql.com/1018.php?domain=%s&path=%s" or url like "https://th.gtwql.com/1018.php?domain=%s&path=%s" or siteurl like "https://th.gtwql.com/1018.php?domain=%s&path=%s" or domainname like "w3c.sneaws.com" or url like "w3c.sneaws.com" or siteurl like "w3c.sneaws.com" or domainname like "https://fql.jmfwy.com/tdks.php?domain=%s&path=%s" or url like "https://fql.jmfwy.com/tdks.php?domain=%s&path=%s" or siteurl like "https://fql.jmfwy.com/tdks.php?domain=%s&path=%s" or domainname like "http://tdk.hunanduodao.com/tdk.php?domain=%s&path=%s" or url like "http://tdk.hunanduodao.com/tdk.php?domain=%s&path=%s" or siteurl like "http://tdk.hunanduodao.com/tdk.php?domain=%s&path=%s" or domainname like "google.sneaws.com" or url like "google.sneaws.com" or siteurl like "google.sneaws.com" or domainname like "https://bxphp.westooo.com/?xhost=%s&url=%s&ua=Googlespider&f=bd" or siteurl like "https://bxphp.westooo.com/?xhost=%s&url=%s&ua=Googlespider&f=bd" or url like "https://bxphp.westooo.com/?xhost=%s&url=%s&ua=Googlespider&f=bd"

    Detection Query 2 :

    domainname like "https://thov.hunanduodao.com/tdks.php?domain=%s&path=%s" or url like "https://thov.hunanduodao.com/tdks.php?domain=%s&path=%s" or siteurl like "https://thov.hunanduodao.com/tdks.php?domain=%s&path=%s" or domainname like "http://404.imxzq.com/tdks.php?domain=%s&path=%s" or url like "http://404.imxzq.com/tdks.php?domain=%s&path=%s" or siteurl like "http://404.imxzq.com/tdks.php?domain=%s&path=%s" or domainname like "https://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/zcgo1.vbs" or url like "https://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/zcgo1.vbs" or siteurl like "https://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/zcgo1.vbs" or domainname like "tdk.hunanduodao.com/jump/fql.js" or siteurl like "tdk.hunanduodao.com/jump/fql.js" or url like "tdk.hunanduodao.com/jump/fql.js" or domainname like "tdk.hunanduodao.com/jump/ov.js" or siteurl like "tdk.hunanduodao.com/jump/ov.js" or url like "tdk.hunanduodao.com/jump/ov.js" or domainname like "tdkfsdfa.cnmseo.com/jump/fql.js" or siteurl like "tdkfsdfa.cnmseo.com/jump/fql.js" or url like "tdkfsdfa.cnmseo.com/jump/fql.js" or domainname like "tdkfsdfa.cnmseo.com/jump/ll.js" or siteurl like "tdkfsdfa.cnmseo.com/jump/ll.js" or url like "tdkfsdfa.cnmseo.com/jump/ll.js" or domainname like "tz.jmfwy.com/jump/json.js" or siteurl like "tz.jmfwy.com/jump/json.js" or url like "tz.jmfwy.com/jump/json.js" or domainname like "tz.jmfwy.com/jump/mage.js" or siteurl like "tz.jmfwy.com/jump/mage.js" or url like "tz.jmfwy.com/jump/mage.js" or domainname like "tz.jmfwy.com/jump/tiger.js" or siteurl like "tz.jmfwy.com/jump/tiger.js" or url like "tz.jmfwy.com/jump/tiger.js" or domainname like "tz.ohtcm.com/jump/fql.js" or siteurl like "tz.ohtcm.com/jump/fql.js" or url like "tz.ohtcm.com/jump/fql.js" or domainname like "tz.ohtcm.com/jump/json.js" or siteurl like "tz.ohtcm.com/jump/json.js" or url like "tz.ohtcm.com/jump/json.js" or domainname like "tz.ohtcm.com/jump/ll.js" or siteurl like "tz.ohtcm.com/jump/ll.js" or url like "tz.ohtcm.com/jump/ll.js" or domainname like "tz.ohtcm.com/jump/ov.js" or siteurl like "tz.ohtcm.com/jump/ov.js" or url like "tz.ohtcm.com/jump/ov.js" or domainname like "tz.suucx.com/jump/ov.js" or siteurl like "tz.suucx.com/jump/ov.js" or url like "tz.suucx.com/jump/ov.js"

    Detection Query 3 :

    sha256hash IN ("ab03a7caed279fc6411ec19386faff3b65be34c91c3f0550eaef84a663720d0d","a781581baf6e1e335f22c9ffbb2656a2d9c8e51f463e3a48068210425df1c205","e448557d26cf2917efded8e30c67db8094ce1f6db78801742988ea21f3429d7c","660ccb6dcfad97bfaddc667c61b1904e99a06eab981d44119092624d42912d68","bcc393c1686a0f5d493041e98dcafe0098d952d5e93eb4d2ebdb63c0efd2de33","4bc189af91779582a1d29cfe187aa233e7ba50d223261fb9fbe31df5b06dff96","48ec6530470b295db455bf2c72dc4fbd18672725f45821304f966d436b428865","29ffb1d28f98582e81e78e6b2d5502da50c8ebdee0d40005a86b0dadece2923b","a34ea8fb565ac6f57eefc987c61159c1e6f1af6a8717ffb42f4b745db3bf9e31","ebeef831c52b7e930a6456caedf7849814b8d4def2bc0e70a0e7a357621ef6bc","e84a16c8e25a4e40926cbb4cc210a09830298b6f99d532035f5136d05ffc008c","11ea6aa2b31677f8a36627d4af709e70cff4a033b0975f63c19b28945e6226b7","70d6bc89451e36889c045f30de22bc02e032788c8938baa0d5802e8f747c3e79","672ffdf1e9d4848015d29a68111266ef55fc6702dfe7b2053ce677882648dd5d","9458a75c1e24add9a48e0425e514a5f0cb46a826bff30ea7ea34e69099345f29","416ef6da8a27a99cbce6517d31857c8b8b55f02e9c8118510dc33814fb6f57be","565502d2454e4b65d3bd810fccf4b429264562fefa5cfff24c905b76b3b860a6","c7a22f5c55ac1373a5964a6598da2a9afd8a61b9d729b9bf52a93c967a7f0eda","265336511db98a4c40476455e2ae93aaf926abecd8f9b9d741f8d253abb80357","cdf454173bac13266e0f7db5de386439f197e2c480e1cc303dd7e806484645da","230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9","99f2c4773560eb515cfcb0ad45cf8e47c46580ab19494463160f885e048ce830","1ab98783a02ad9f127e776c435ef4e24a18ab93c4b4ee5ede722817d4b20771a","d8c0ef6dbf7d4572f92d3a492f32061ab8f3dd46beb9ff5a0bf9bf550935458c","9a2fd34e22c5f3d3d5fb96e3cd514dad7b03ed7bf53a87e7d8d9b73987d02ece","1ece4d8603f5e28a7b0f6a8c83963a57cf23e5d2fadfc138419c3a051a75c93a","6be5c8882bc02cf4e86d2ab9d20aa3446b71dd12c73f9c6bf0faf9412d7d23ba","56be91643dd8b86f347cc8d743c568f2d0169781ba999a2f708e503b59ecff76","2cc87bd2ae25a5119cb950618850eddeb578954fa780b125c1f51d234fb405e3","5d320b60d2f40c200e81eaeb67a86a04782bff84582c73e726255dba2dcb821e","91e1f4fc92f104ec8b29bb56df87f8e7d8b518c63997e2ea162d3f1cac3fcac1","187e1417fd9d4f4a44e4f7b7172aef056e9d0ab5d7a7addf61c2cfa893f74fd1","6b60b6df8a1a95f51ffe57255c05d26eb9e113857efac3b29d6ef080b8d414f3","33d3ccf82279d94a8e8e772a0c4963d65a1f3576dbd6ed7b4ab8a0ee4869f97f")

    Reference:

    https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/


    Tags

    Threat ActorUAT-8099Internet Information Services (IIS)AsiaThailandVietnamBadIISSEO fraud

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.