Cybercriminals are getting more creative—and more dangerous—with how they manipulate search engines. A newly uncovered campaign, Operation Rewrite, is leveraging a malware called BadIIS to poison search engine results, hijack web traffic, and install persistent backdoors on compromised servers. Targeting East and Southeast Asia, especially Vietnam, this campaign highlights the growing weaponization of SEO poisoning as a cyberattack vector.
What Is BadIIS Malware?
Discovered by Palo Alto Networks’ Unit 42, BadIIS is a malicious Internet Information Services (IIS) module used to intercept and modify incoming web traffic. Instead of just redirecting users to unwanted sites, it manipulates legitimate websites with strong domain reputations to inject keywords and fraudulent links. This trick helps compromised sites rank for unrelated search terms, misleading both search engines and unsuspecting users.
How SEO Poisoning Works in This Campaign
BadIIS scans HTTP requests for User-Agent headers to identify search engine crawlers. When detected, it feeds them manipulated content fetched from external servers, ensuring that poisoned sites are indexed as “relevant” search results. Once indexed, these sites redirect human visitors to scam destinations such as gambling or adult content platforms—profiting attackers while damaging victims’ businesses and reputations.
Beyond Redirects: Planting Web Shells
The threat goes deeper than SEO manipulation. Unit 42 found that attackers used access to search engine crawlers as a pivot point to:
- Create new local user accounts
- Drop web shells for persistent remote access
- Exfiltrate source code
- Deploy additional BadIIS implants
This combination of SEO poisoning and backdoor access effectively turns compromised servers into long-term staging grounds for cybercriminal operations.
BadIIS Variants in the Wild
Researchers identified multiple flavors of the BadIIS implant, tailored for different attack scenarios:
- ASP.NET page handler – lightweight redirect tool fetching malicious content from a remote C2 server.
- .NET IIS module – intercepts every request, injecting spam links and keywords from another C2 server.
- PHP script – an all-in-one toolkit combining SEO poisoning with user redirection.
Who’s Behind Operation Rewrite?
Unit 42 links this campaign to a Chinese-speaking threat actor (CL-UNK-1037), sharing infrastructure and tactics with clusters identified by ESET (Group 9) and DragonRank. The evidence suggests a coordinated strategy by a sophisticated group investing heavily in search manipulation and traffic control as a cybercrime business model.
Why It Matters
This isn’t just about spammy search results. By hijacking legitimate websites and weaponizing search rankings, attackers can:
- Damage trust in brand domains
- Steal sensitive business data
- Disrupt regional digital economies
- Expand their reach globally through search visibility
The campaign also echoes recent findings by ESET on GhostRedirector, another IIS-module–based malware that compromised 65 Windows servers across Brazil, Thailand, and Vietnam. Together, these campaigns highlight a rising trend: SEO poisoning is no longer just an annoyance—it’s a full-fledged cyberattack strategy.
Protecting Against SEO Poisoning Malware
Organizations running IIS servers should act quickly to defend themselves. Recommended steps include:
- Regularly auditing IIS modules for unknown additions
- Monitoring server logs for suspicious crawler interactions
- Deploying layered defenses, including endpoint detection and response (EDR)
- Applying strict access controls and multi-factor authentication
- Educating IT teams about emerging SEO poisoning threats
Final Thoughts
BadIIS is more than just a malware—it’s a glimpse into the future of how cybercriminals will weaponize search engines against businesses and users alike. As attackers refine their ability to manipulate web visibility, defenders must rethink their approach to both SEO security and server-side malware detection.
Do you think SEO poisoning will become the next mainstream cybercrime tactic, or is it just a stepping stone to even more sophisticated attacks? Share your thoughts in the comments below.
