Hackers Hijacking IIS Servers Using Malicious BadIIS Module to Serve Malicious Content

A sophisticated cyber campaign, dubbed “Operation Rewrite,” is actively hijacking Microsoft Internet Information Services (IIS) web servers to serve malicious content through a technique known as search engine optimization (SEO) poisoning.

Palo Alto Networks uncovered the operation in March 2025, attributing it with high confidence to a Chinese-speaking threat actor who uses a malicious IIS module known as BadIIS.

The campaign’s primary goal is financial gain by manipulating search engine results to redirect unsuspecting users to unwanted websites, such as gambling and pornography platforms.

The attackers compromise legitimate, high-reputation websites, turning them into unwitting conduits for their malicious activities.

BadIIS Malware and SEO Poisoning

At the heart of this operation is BadIIS, a malicious native module for Microsoft’s IIS web server software. First identified in 2021, these modules integrate directly into the web server’s core processes, granting them high-level privileges.

This deep integration allows the malware to intercept, inspect, and modify all incoming and outgoing web traffic. Attackers leverage this control to inject malicious code, redirect users, and steal sensitive information without being easily detected.

The attackers use BadIIS to conduct SEO poisoning. Instead of building new malicious websites, which are difficult to rank in search engines, they compromise established sites that already have a good reputation.

By injecting popular search keywords into the compromised site’s content, they trick search engines like Google and Bing into ranking the site for a wide range of unrelated queries.

The “Operation Rewrite” campaign unfolds in two distinct phases designed to first deceive search engines and then ensnare human victims.

• The Lure Phase: The attack begins when a search engine crawler (like Googlebot) visits a compromised server. The BadIIS module detects the crawler by inspecting its User-Agent header. It then communicates with a command-and-control (C2) server to fetch keyword-rich, poisoned content. This content is served only to the crawler, causing the search engine to index the legitimate website for popular but irrelevant terms. Analysis shows a specific focus on East and Southeast Asia, with keywords for Vietnamese search engines and terms related to illegal soccer streaming services.

• The Trap Phase: Once the search results are poisoned, the trap is set. When a user clicks on the malicious search result, the BadIIS module identifies them as a human victim by checking the Referer header. Instead of showing the expected webpage, the module contacts the C2 server again to fetch a redirect link to a scam website. The compromised server acts as a reverse proxy, seamlessly sending the victim to the attacker-controlled destination.

Palo Alto Networks has linked this activity cluster, tracked as CL-UNK-1037, to a Chinese-speaking threat group. The name “Operation Rewrite” stems from the Pinyin transliteration “chongxiede” (重写), meaning “rewrite,” which was found as an object name in the malware’s code.

Further investigation revealed additional linguistic evidence, including code comments written in simplified Chinese characters.

The group’s toolkit is not limited to the native BadIIS module. The investigation uncovered several variants, demonstrating the actor’s adaptability.

These include lightweight ASP.NET page handlers, managed .NET IIS modules, and an all-in-one PHP script, all designed to achieve the same SEO poisoning goals through different technical means.

Researchers noted significant overlaps in infrastructure and code design with a publicly tracked threat cluster known as “Group 9” and tactical similarities to the “DragonRank” campaign, suggesting a connection within a broader ecosystem of threat actors.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and set CSN as a Preferred Source in Google.