Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign

    Tuesday, September 23, 2025 In: Threat Research Print

    Date: 09/23/2025

    Severity: High

    Summary

    In March 2025, we identified an SEO poisoning campaign, likely operated by a Chinese-speaking threat actor, dubbed “Operation Rewrite.” This activity cluster, tracked as CL-UNK-1037, overlaps with known campaigns like “Group 9” and “DragonRank.” Attackers used a malicious IIS module called BadIIS to hijack web traffic via compromised servers. The campaign targeted East and Southeast Asia, with code tailored to regional search engines. Beyond BadIIS, the toolkit included ASP.NET handlers, .NET IIS modules, and a multifunctional PHP script.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    http://103.6.235.26/xvn.html

    http://x404.008php.com/zz/u.php

    http://103.6.235.78/vn.html

    http://x404.008php.com/index.php

    http://103.6.235.78/index.php

    http://103.6.235.78/zz/u.php

    http://cs.pyhycy.com/index.php

    http://cs.pyhycy.com/zz/u.php

    https://sl.008php.com/kt.html

    http://160.30.173.87/zz/u.php

    http://404.pyhycy.com/index.php

    http://404.pyhycy.com/zz/u.php

    http://404.hao563.com/index.php

    http://404.300bt.com/zz/u.php

    http://404.yyphw.com/index.php

    http://103.6.235.26/kt.html

    http://404.yyphw.com/zz/u.php

    http://404.hzyzn.com/index.php

    http://404.hzyzn.com/zz/u.php

    http://404.300bt.com/index.php

    http://103.248.20.197/index.php

    http://103.248.20.197/zz/u.php

    https://fb88s.icu/uu/tt.js

    http://404.hao563.com/zz/u.php

    http://www.massnetworks.org

    http://vn404.008php.com/index.php

    http://vn404.008php.com/zz/u.php

    http://404.008php.com/zz/u.php

    Hash : 

    01a616e25f1ac661a7a9c244fd31736188ceb5fce8c1a5738e807fdbef70fd60

    bc3bba91572379e81919b9e4d2cbe3b0aa658a97af116e2385b99b610c22c08c

    5aa684e90dd0b85f41383efe89dddb2d43ecbdaf9c1d52c40a2fdf037fb40138

    c5455c43f6a295392cf7db66c68f8c725029f88e089ed01e3de858a114f0764f

    82096c2716a4de687b3a09b638e39cc7c12959bf380610d5f8f9ac9cddab64d7

    ed68c5a8c937cd55406c152ae4a2780bf39647f8724029f04e1dce136eb358ea

    6d79b32927bac8020d25aa326ddf44e7d78600714beacd473238cc0d9b5d1ccf

    b95a1619d1ca37d652599b0b0a6188174c71147e9dc7fb4253959bd64c4c1e9f

    8078fa156f5ab8be073ad3f616a2302f719713aac0f62599916c5084dd326060

    a73c7f833a83025936c52a8f217c9793072d91346bb321552f3214efdeef59eb

    6d044b27cd3418bf949b3db131286c8f877a56d08c3bbb0924baf862a6d13b27

    78ef67ec600045b7deb8b8ac747845119262bea1d51b2332469b1f769fb0b67d

    78ef67ec600045b7deb8b8ac747845119262bea1d51b2332469b1f769fb0b67d

    88de33754e96cfa883d737aea7231666c4e6d058e591ef3b566f5c13a88c0b56

    a393b62df62f10c5c16dd98248ee14ca92982e7ac54cb3e1c83124c3623c8c43

    40a0d0ee76b72202b63301a64c948acb3a4da8bac4671c7b7014a6f1e7841bd2

    40a0d0ee76b72202b63301a64c948acb3a4da8bac4671c7b7014a6f1e7841bd2

    1c870ee30042b1f6387cda8527c2a9cf6791195e63c5126d786f807239bd0ddc

    271c1ddfdfb6ba82c133d1e0aac3981b2c399f16578fcf706f5e332703864656

    22a9e1675bd8b8d64516bd4be1f07754c8f4ad6c59a965d0e009cbeaca6147a7

    e2e00fd57d177e4c90c1e6a973cae488782f73378224f54cf1284d69a88b6805

    23aa7c29d1370d31f2631abd7df4c260b85227a433ab3c7d77e8f2d87589948f

    ab0b548931e3e07d466ae8598ca9cd8b10409ab23d471a7124e2e67706a314e8

    22a4f8aead6aef38b0dc26461813499c19c6d9165d375f85fb872cd7d9eba5f9

    de570369194da3808ab3c3de8fb7ba2aac1cc67680ebdc75348b309e9a290d37

    d8a7320e2056daf3ef4d479ff1bb5ce4facda67dfc705e8729aeca78d6f9ca84

    d6a0763f6ef19def8a248c875fd4a5ea914737e3914641ef343fe1e51b04f858

    c6622e2900b8112e8157f923e9fcbd48889717adfe1104e07eb253f2e90d2c6a

    6cff06789bf27407aa420e73123d4892a8f15cae9885ff88749fd21aa6d0e8ad

    b056197f093cd036fa509609d80ece307864806f52ab962901939b45718c18a8

    2af61e5acc4ca390d3bd43bc649ab30951ed7b4e36d58a05f5003d92fde5e9a7

    36bf18c3edd773072d412f4681fb25b1512d0d8a00aac36514cd6c48d80be71b

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "http://x404.008php.com/index.php" or url like "http://x404.008php.com/index.php" or siteurl like "http://x404.008php.com/index.php" or domainname like "http://404.hzyzn.com/index.php" or url like "http://404.hzyzn.com/index.php" or siteurl like "http://404.hzyzn.com/index.php" or domainname like "http://x404.008php.com/zz/u.php" or url like "http://x404.008php.com/zz/u.php" or siteurl like "http://x404.008php.com/zz/u.php" or domainname like "http://404.hao563.com/zz/u.php" or url like "http://404.hao563.com/zz/u.php" or siteurl like "http://404.hao563.com/zz/u.php" or domainname like "http://vn404.008php.com/index.php" or url like "http://vn404.008php.com/index.php" or siteurl like "http://vn404.008php.com/index.php" or domainname like "https://fb88s.icu/uu/tt.js" or url like "https://fb88s.icu/uu/tt.js" or siteurl like "https://fb88s.icu/uu/tt.js" or domainname like "http://103.6.235.26/xvn.html" or url like "http://103.6.235.26/xvn.html" or siteurl like "http://103.6.235.26/xvn.html" or domainname like "http://404.pyhycy.com/zz/u.php" or url like "http://404.pyhycy.com/zz/u.php" or siteurl like "http://404.pyhycy.com/zz/u.php" or domainname like "https://sl.008php.com/kt.html" or url like "https://sl.008php.com/kt.html" or siteurl like "https://sl.008php.com/kt.html" or domainname like "http://103.248.20.197/index.php" or url like "http://103.248.20.197/index.php" or siteurl like "http://103.248.20.197/index.php" or domainname like "http://cs.pyhycy.com/index.php" or url like "http://cs.pyhycy.com/index.php" or siteurl like "http://cs.pyhycy.com/index.php" or domainname like "http://404.300bt.com/zz/u.php" or url like "http://404.300bt.com/zz/u.php" or siteurl like "http://404.300bt.com/zz/u.php" or domainname like "http://404.hao563.com/index.php" or url like "http://404.hao563.com/index.php" or siteurl like "http://404.hao563.com/index.php" or domainname like "http://cs.pyhycy.com/zz/u.php" or url like "http://cs.pyhycy.com/zz/u.php" or siteurl like "http://cs.pyhycy.com/zz/u.php" or domainname like "http://404.yyphw.com/index.php" or url like "http://404.yyphw.com/index.php" or siteurl like "http://404.yyphw.com/index.php" or domainname like "http://103.6.235.78/vn.html" or url like "http://103.6.235.78/vn.html" or siteurl like "http://103.6.235.78/vn.html" or domainname like "http://404.300bt.com/index.php" or url like "http://404.300bt.com/index.php" or siteurl like "http://404.300bt.com/index.php" or domainname like "http://160.30.173.87/zz/u.php" or url like "http://160.30.173.87/zz/u.php" or siteurl like "http://160.30.173.87/zz/u.php" or domainname like "http://404.hzyzn.com/zz/u.php" or url like "http://404.hzyzn.com/zz/u.php" or siteurl like "http://404.hzyzn.com/zz/u.php" or domainname like "http://103.6.235.78/index.php"or url like "http://103.6.235.78/index.php" or siteurl like "http://103.6.235.78/index.php" or domainname like "http://103.6.235.78/zz/u.php" or url like "http://103.6.235.78/zz/u.php" or siteurl like "http://103.6.235.78/zz/u.php" or domainname like "http://404.pyhycy.com/index.php" or url like "http://404.pyhycy.com/index.php" or siteurl like "http://404.pyhycy.com/index.php" or domainname like "http://103.6.235.26/kt.html" or url like "http://103.6.235.26/kt.html" or siteurl like "http://103.6.235.26/kt.html" or domainname like "http://404.yyphw.com/zz/u.php" or url like "http://404.yyphw.com/zz/u.php" or siteurl like "http://404.yyphw.com/zz/u.php" or domainname like "http://103.248.20.197/zz/u.php" or url like "http://103.248.20.197/zz/u.php" or siteurl like "http://103.248.20.197/zz/u.php" or domainname like "http://www.massnetworks.org" or url like "http://www.massnetworks.org" or siteurl like "http://www.massnetworks.org" or domainname like "http://vn404.008php.com/zz/u.php" or url like "http://vn404.008php.com/zz/u.php" or siteurl like "http://vn404.008php.com/zz/u.php" or domainname like "http://404.008php.com/zz/u.php" or url like "http://404.008php.com/zz/u.php" or siteurl like "http://404.008php.com/zz/u.php"

    Detection Query 2 :

    sha256hash IN ("ed68c5a8c937cd55406c152ae4a2780bf39647f8724029f04e1dce136eb358ea","a393b62df62f10c5c16dd98248ee14ca92982e7ac54cb3e1c83124c3623c8c43","1c870ee30042b1f6387cda8527c2a9cf6791195e63c5126d786f807239bd0ddc","c5455c43f6a295392cf7db66c68f8c725029f88e089ed01e3de858a114f0764f","6cff06789bf27407aa420e73123d4892a8f15cae9885ff88749fd21aa6d0e8ad","22a9e1675bd8b8d64516bd4be1f07754c8f4ad6c59a965d0e009cbeaca6147a7","8078fa156f5ab8be073ad3f616a2302f719713aac0f62599916c5084dd326060","de570369194da3808ab3c3de8fb7ba2aac1cc67680ebdc75348b309e9a290d37","40a0d0ee76b72202b63301a64c948acb3a4da8bac4671c7b7014a6f1e7841bd2","88de33754e96cfa883d737aea7231666c4e6d058e591ef3b566f5c13a88c0b56","c6622e2900b8112e8157f923e9fcbd48889717adfe1104e07eb253f2e90d2c6a","bc3bba91572379e81919b9e4d2cbe3b0aa658a97af116e2385b99b610c22c08c","5aa684e90dd0b85f41383efe89dddb2d43ecbdaf9c1d52c40a2fdf037fb40138","6d79b32927bac8020d25aa326ddf44e7d78600714beacd473238cc0d9b5d1ccf","01a616e25f1ac661a7a9c244fd31736188ceb5fce8c1a5738e807fdbef70fd60","22a4f8aead6aef38b0dc26461813499c19c6d9165d375f85fb872cd7d9eba5f9","ab0b548931e3e07d466ae8598ca9cd8b10409ab23d471a7124e2e67706a314e8","23aa7c29d1370d31f2631abd7df4c260b85227a433ab3c7d77e8f2d87589948f","78ef67ec600045b7deb8b8ac747845119262bea1d51b2332469b1f769fb0b67d","271c1ddfdfb6ba82c133d1e0aac3981b2c399f16578fcf706f5e332703864656","b056197f093cd036fa509609d80ece307864806f52ab962901939b45718c18a8","b95a1619d1ca37d652599b0b0a6188174c71147e9dc7fb4253959bd64c4c1e9f","82096c2716a4de687b3a09b638e39cc7c12959bf380610d5f8f9ac9cddab64d7","a73c7f833a83025936c52a8f217c9793072d91346bb321552f3214efdeef59eb","6d044b27cd3418bf949b3db131286c8f877a56d08c3bbb0924baf862a6d13b27","40a0d0ee76b72202b63301a64c948acb3a4da8bac4671c7b7014a6f1e7841bd2","e2e00fd57d177e4c90c1e6a973cae488782f73378224f54cf1284d69a88b6805","d8a7320e2056daf3ef4d479ff1bb5ce4facda67dfc705e8729aeca78d6f9ca84","d6a0763f6ef19def8a248c875fd4a5ea914737e3914641ef343fe1e51b04f858","36bf18c3edd773072d412f4681fb25b1512d0d8a00aac36514cd6c48d80be71b")

    Reference:

    https://unit42.paloaltonetworks.com/operation-rewrite-seo-poisoning-campaign/


    Tags

    MalwareBadIISSEO PoisoningCL-UNK-1037Group 9DragonRankEast AsiaSouth AsiaChina

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.