SEO Poisoning Campaign Tied to Chinese Actor

Summary

Researchers at Palo Alto Networks Unit 42 uncovered an SEO poisoning campaign, active since March 2025, that uses a malicious native IIS module called BadIIS to intercept and alter web traffic on compromised servers. Tracked as CL-UNK-1037 and nicknamed “Operation Rewrite”, the campaign hijacks legitimate websites (often high-reputation sites) to serve keyword-stuffed HTML to search engine crawlers and then redirect real users to scam, gambling or adult sites for financial gain. Unit 42 links the activity to a Chinese-speaking actor with possible ties to known SEO manipulation services such as DragonRank and clusters seen by ESET and Cisco Talos.

The attack flow: the actor gains initial access, deploys web shells, exfiltrates web application source code, installs malicious DLLs as IIS modules (BadIIS), then uses compromised sites as reverse proxies. When search crawlers request pages containing configured keywords, BadIIS serves poisoned HTML from a C2; when users click the poisoned result, BadIIS proxies or redirects them to attacker-controlled content. Unit 42 published IoCs including SHA256 hashes and C2 URLs and recommends URL filtering, DNS security and endpoint protections.

Key Points

Campaign active since March 2025, tracked as CL-UNK-1037 and dubbed “Operation Rewrite” by Unit 42.
Attack uses BadIIS — malicious native IIS modules registered as legitimate modules — to manipulate responses for crawlers and users.
Compromised servers act as reverse proxies; attackers exfiltrate source code and deploy web shells and scheduled tasks for lateral movement.
Primary goal is SEO poisoning: serve keyword-stuffed HTML to crawlers to boost poisoned pages in search results, then redirect users to scam/gambling/ad destinations for profit.
Attribution points to a Chinese-speaking actor with possible links to Group 9/DragonRank-like SEO manipulation services; similarities include C2 URI patterns (recurring “zz”) and toolset flow.
Unit 42 published indicators of compromise (BadIIS DLL SHA256s, handler hashes, C2 URLs) and recommended mitigations.
Defensive measures include advanced URL filtering, DNS security, endpoint protection, scanning for unexpected IIS modules, web shells and unauthorised scheduled tasks/local accounts.

Context and Relevance

This campaign blends classic web compromise with SEO abuse, weaponising reputation of legitimate sites to monetise search traffic. Organisations with public-facing IIS servers — especially in East and Southeast Asia where the campaign is focused — should treat this as a high-risk operational threat. The technique is notable because it integrates at the web server module layer, giving attackers full request-pipeline privileges and making detection harder than simple redirected pages or malicious content hosted on throwaway domains.

It also underlines a wider trend: attackers increasingly exploit search-engine behaviour and legitimate infrastructure to amplify reach while reducing the work needed to build malicious site reputation. For security teams, that means scanning web servers for unauthorised IIS modules, hunting for web shells and ZIP archives of source code placed in web-accessible paths, and applying URL/DNS filtering to block known C2 and redirect destinations.

Why should I read this?

Short version: if you run IIS sites or care about organic search traffic, this is the sort of sneaky, revenue-driven trick that can wreck your traffic and reputation — and it hides inside the server itself. Read it to spot the signs early, lock down your web servers, and avoid being the unwitting gateway to scams.

Author style

Punchy: the write-up is direct and practical — essential reading if you operate web infrastructure or manage incident response. Unit 42 gives actionable IoCs and clear mitigation advice, so it’s worth digging into the full post if you need to hunt or harden servers now.