UAT-8099: Chinese-Speaking Cybercrime Group Targets High-Value IIS for SEO Fraud

    Friday, October 3, 2025 In: Threat Research Print

    Date: 10/03/2025

    Severity: High

    Summary

    UAT-8099 is a Chinese-speaking cybercrime group targeting high-value IIS servers in countries like India, Thailand, Vietnam, Canada, and Brazil to conduct SEO fraud and steal credentials, config files, and certificates. They use web shells, Cobalt Strike, and BadIIS malware to manipulate search rankings and maintain persistence. Their tools are highly evasive, with some samples containing Chinese debug strings, indicating sophisticated and stealthy operations.

    Indicators of Compromise (IOC) List

    URLs/Domains

    aspx2.ggseocdn.com

    th1.ggseocdn.com

    bxphp.ggseocdn.com

    bx.ggseocdn.com

    list.ggseocdn.com

    ar.ggseocdn.com

    bx.ggseocdn.com

    x2.ggseocdn.com

    x3.ggseocdn.com

    alex.rootggseo.com

    modll.win123888.com

    mo2dll.win123888.com

    cheng.win123888.com

    th1.win123888.com

    x5.westooo.com

    joydphp.westooo.com

    joyddll.westooo.com

    bx.westooo.com

    ar.mnnoxzmq.com

    iis.ihack.one

    mejsc1.com

    ceshi.mejsc4.com

    link.mejsc4.com

    meindi11.com

    mulu.ihack.one

    tdk.ihack.one

    xl.luodixijin.com

    xldll.xijingdafa.com

    meindi11.com

    google.dfbdfwrthgef.top

    buvmfuwecndskmkvhndfjk.dfbdfwrthgef.top

    suidcbdewjskbcsdjvbwehcsdj.dfbdfwrthgef.top

    https://cdn.windowserrorapis.com:8443/v5/owa/rYpKZYehSa0sW1gFbbaVg4KB1m.cab

    IP Address

    123.181.24.36

    138.112.25.25

    36.75.75.75

    71.162.181.51

    Hash : 

    762db01f0dc61a3f4aa1695cb24a92fa21d236d8c5577926337ac1799d6569a5

    7276bc5fe4d29daf7a23a9a68022330290be45cc3a5a1d76e82063135b85ce5c

    046417685ad2eb075f33a0f757391df84750d2395fa6f82b1f05359710b7c9b6

    f7cc8cf5a8e565c1aa8b7bd524f4f9fac392387de749657cb9d1cf4d694c4ad2

    b3d08508b1e8962e56da007408450e2a40fae8cac1ee7d526914be80e31f6854

    8b2a61f29fdeda908d299515975a4dd3abd1a7508dbe8487bcb2a56fad2ec16f

    e042f1a9b0a1d69311a5a1bd4eea37cc1a8a02cffe3f9ad5eb0c78fa79f326e2

    5a6dd4bb2db005adee56732b96fa6f4ceed47fc42298daf7bb3e6db32b59eac6

    f659c4cfe4517a07b9c944cb7818be4022fdc42187766808ad02987a4152a875

    7ddf475abc6e01a1e703f4c54e5a2c8601fef4767b3b1859b78cfdc18b173004

    0afa8830d2c664a192af94b638ab6b1c096d13e41a7f1886b71ff020e0d9bd93

    088fa3063c3015978955b572d5ddcff0838a945ce25665f24cca83d33e039cb9

    c85a942a0d17c7accbabbf68ce04635327b757a662687c798e998c983c2a744c

    e1342bca7bc4f3ff9453c68cd16532f4e6567a1ada37b6e2635cbc1c1ba325ac

    0c532a4a9f398fa2f5e12c2eac00c81ff4a70ac6746cf462c3f2206ed910693f

    94d8eaef036231cd604d0c769f0918e826501644a149876c09e967811c104860

    5284d5e034aa8c077469d3ef8fb2c09aa041c475703ea99c87855cf6eecf9564

    fee057cee9da92d3d29078e7c30da7472ce99cc2ecaf4e13e8b3d6f266a6d35f

    299aabc6b9b03d92a6aed9d12eed45a669e5795763092693ac98322107cf8217

    85cf3c802a97facb5ae4c1e945c5042915017f35bdf1a570754b88710facf3f3

    0c364717dea76cbff870a2dbf2099213615a4caacaa5de61f7271c7eec73759f

    2eedd804c1fa4578485b55f4872145b7f891016510fe88fa760b61b8248dec82

    704ce326c380e4a35594df2b7d9bd17517709378451f3d9788728d01df36d0f6

    b8626f0c45c68f6176540a64e2f8c6d5ac8b942a5ec030b590870a6eaffb931f

    cbb4a9172f4b0185d3aecbaa60b8e04d8910889da8905e5089df3efdec0a38dd

    ee6288fa8e5f111571475211b15522bc987da8421e9687a8089d1edef1df14a2

    74eb8d245d5571f3ee9a4e5417fb919034662681ff26a298a3526032307f16a4

    cd86344937c7e7c9895fde8eecc682eb347c583e1ded491075aef548a8e255a4

    49740a5785f0d6790ee7f82915d2a95866332fc3eaf6fb0da59645404e4aed0c

    0511345f452e8c5ff2ca903553ba72f4fcb4f029f72b12e27f6a33e33977e5d2

    1149c50a049dca8ada30247532d0b2f18b94c199b45fd5dc129b5a9fda0991e9

    78f813c4474dcb4a1be9354d341bedcae6ef8689828a150c5936c308a0490777

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "buvmfuwecndskmkvhndfjk.dfbdfwrthgef.top" or siteurl like "buvmfuwecndskmkvhndfjk.dfbdfwrthgef.top" or url like "buvmfuwecndskmkvhndfjk.dfbdfwrthgef.top" or domainname like "x5.westooo.com" or siteurl like "x5.westooo.com" or url like "x5.westooo.com" or domainname like "suidcbdewjskbcsdjvbwehcsdj.dfbdfwrthgef.top" or siteurl like "suidcbdewjskbcsdjvbwehcsdj.dfbdfwrthgef.top" or url like "suidcbdewjskbcsdjvbwehcsdj.dfbdfwrthgef.top" or domainname like "bx.ggseocdn.com" or siteurl like "bx.ggseocdn.com" or url like "bx.ggseocdn.com" or domainname like "alex.rootggseo.com" or siteurl like "alex.rootggseo.com" or url like "alex.rootggseo.com" or domainname like "x2.ggseocdn.com" or siteurl like "x2.ggseocdn.com" or url like "x2.ggseocdn.com" or domainname like "th1.ggseocdn.com" or siteurl like "th1.ggseocdn.com" or url like "th1.ggseocdn.com" or domainname like "x3.ggseocdn.com" or siteurl like "x3.ggseocdn.com" or url like "x3.ggseocdn.com" or domainname like "th1.win123888.com" or siteurl like "th1.win123888.com" or url like "th1.win123888.com" or domainname like "bxphp.ggseocdn.com" or siteurl like "bxphp.ggseocdn.com" or url like "bxphp.ggseocdn.com" or domainname like "google.dfbdfwrthgef.top" or siteurl like "google.dfbdfwrthgef.top" or url like "google.dfbdfwrthgef.top" or domainname like "list.ggseocdn.com" or siteurl like "list.ggseocdn.com" or url like "list.ggseocdn.com" or domainname like "https://cdn.windowserrorapis.com:8443/v5/owa/rYpKZYehSa0sW1gFbbaVg4KB1m.cab" or siteurl like "https://cdn.windowserrorapis.com:8443/v5/owa/rYpKZYehSa0sW1gFbbaVg4KB1m.cab" or url like "https://cdn.windowserrorapis.com:8443/v5/owa/rYpKZYehSa0sW1gFbbaVg4KB1m.cab" or domainname like "ceshi.mejsc4.com" or siteurl like "ceshi.mejsc4.com" or url like "ceshi.mejsc4.com" or domainname like "aspx2.ggseocdn.com" or siteurl like "aspx2.ggseocdn.com" or url like "aspx2.ggseocdn.com" or domainname like "ar.ggseocdn.com" or siteurl like "ar.ggseocdn.com" or url like "ar.ggseocdn.com" or domainname like "bx.ggseocdn.com" or siteurl like "bx.ggseocdn.com" or url like "bx.ggseocdn.com" or domainname like "modll.win123888.com" or siteurl like "modll.win123888.com" or url like "modll.win123888.com" or domainname like "mo2dll.win123888.com" or siteurl like "mo2dll.win123888.com" or url like "mo2dll.win123888.com" or domainname like "cheng.win123888.com" or siteurl like "cheng.win123888.com" or url like "cheng.win123888.com" or domainname like "joydphp.westooo.com" or siteurl like "joydphp.westooo.com" or url like "joydphp.westooo.com" or domainname like "joyddll.westooo.com" or siteurl like "joyddll.westooo.com" or url like "joyddll.westooo.com" or domainname like "bx.westooo.com" or siteurl like "bx.westooo.com" or url like "bx.westooo.com" or domainname like "ar.mnnoxzmq.com" or siteurl like "ar.mnnoxzmq.com" or url like "ar.mnnoxzmq.com" or domainname like "iis.ihack.one" or siteurl like "iis.ihack.one" or url like "iis.ihack.one" or domainname like "mejsc1.com" or siteurl like "mejsc1.com" or url like "mejsc1.com" or domainname like "link.mejsc4.com" or siteurl like "link.mejsc4.com" or url like "link.mejsc4.com" or domainname like "meindi11.com" or siteurl like "meindi11.com" or url like "meindi11.com" or domainname like "mulu.ihack.one" or siteurl like "mulu.ihack.one" or url like "mulu.ihack.one" or domainname like "tdk.ihack.one" or siteurl like "tdk.ihack.one" or url like "tdk.ihack.one" or domainname like "xl.luodixijin.com" or siteurl like "xl.luodixijin.com" or url like "xl.luodixijin.com" or domainname like "xldll.xijingdafa.com" or siteurl like "xldll.xijingdafa.com" or url like "xldll.xijingdafa.com" or domainname like "meindi11.com" or siteurl like "meindi11.com" or url like "meindi11.com"

    Detection Query 2 :

    dstipaddress IN ("123.181.24.36","138.112.25.25","36.75.75.75","71.162.181.51") or srcipaddress IN ("123.181.24.36","138.112.25.25","36.75.75.75","71.162.181.51")

    Detection Query 3 :

    sha256hash IN ("299aabc6b9b03d92a6aed9d12eed45a669e5795763092693ac98322107cf8217","704ce326c380e4a35594df2b7d9bd17517709378451f3d9788728d01df36d0f6","fee057cee9da92d3d29078e7c30da7472ce99cc2ecaf4e13e8b3d6f266a6d35f","cd86344937c7e7c9895fde8eecc682eb347c583e1ded491075aef548a8e255a4","088fa3063c3015978955b572d5ddcff0838a945ce25665f24cca83d33e039cb9","85cf3c802a97facb5ae4c1e945c5042915017f35bdf1a570754b88710facf3f3","49740a5785f0d6790ee7f82915d2a95866332fc3eaf6fb0da59645404e4aed0c","0c532a4a9f398fa2f5e12c2eac00c81ff4a70ac6746cf462c3f2206ed910693f","b8626f0c45c68f6176540a64e2f8c6d5ac8b942a5ec030b590870a6eaffb931f","0511345f452e8c5ff2ca903553ba72f4fcb4f029f72b12e27f6a33e33977e5d2","1149c50a049dca8ada30247532d0b2f18b94c199b45fd5dc129b5a9fda0991e9","cbb4a9172f4b0185d3aecbaa60b8e04d8910889da8905e5089df3efdec0a38dd","5284d5e034aa8c077469d3ef8fb2c09aa041c475703ea99c87855cf6eecf9564","8b2a61f29fdeda908d299515975a4dd3abd1a7508dbe8487bcb2a56fad2ec16f","ee6288fa8e5f111571475211b15522bc987da8421e9687a8089d1edef1df14a2","762db01f0dc61a3f4aa1695cb24a92fa21d236d8c5577926337ac1799d6569a5","7276bc5fe4d29daf7a23a9a68022330290be45cc3a5a1d76e82063135b85ce5c","046417685ad2eb075f33a0f757391df84750d2395fa6f82b1f05359710b7c9b6","f7cc8cf5a8e565c1aa8b7bd524f4f9fac392387de749657cb9d1cf4d694c4ad2","b3d08508b1e8962e56da007408450e2a40fae8cac1ee7d526914be80e31f6854","e042f1a9b0a1d69311a5a1bd4eea37cc1a8a02cffe3f9ad5eb0c78fa79f326e2","5a6dd4bb2db005adee56732b96fa6f4ceed47fc42298daf7bb3e6db32b59eac6","f659c4cfe4517a07b9c944cb7818be4022fdc42187766808ad02987a4152a875","7ddf475abc6e01a1e703f4c54e5a2c8601fef4767b3b1859b78cfdc18b173004","0afa8830d2c664a192af94b638ab6b1c096d13e41a7f1886b71ff020e0d9bd93","c85a942a0d17c7accbabbf68ce04635327b757a662687c798e998c983c2a744c","e1342bca7bc4f3ff9453c68cd16532f4e6567a1ada37b6e2635cbc1c1ba325ac","94d8eaef036231cd604d0c769f0918e826501644a149876c09e967811c104860","0c364717dea76cbff870a2dbf2099213615a4caacaa5de61f7271c7eec73759f","2eedd804c1fa4578485b55f4872145b7f891016510fe88fa760b61b8248dec82","74eb8d245d5571f3ee9a4e5417fb919034662681ff26a298a3526032307f16a4","78f813c4474dcb4a1be9354d341bedcae6ef8689828a150c5936c308a0490777")

    Reference: 

    https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/


    Tags

    MalwareThreat ActorUAT-8099ChinaIndiaThailandVietnamCanadaBrazilSEO fraudcredential stealersCobalt Strikeweb shellBadIIS

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.