The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Chinese Threat Actors Using BadIIS to Manipulate SEO

Feb 14, 2025 1:01:25 PM / by The Hivemind

CHINESETHREATACTORSVerticals Targeted: Government, Education, Technology, Telecommunications

Executive Summary

Chinese threat actors were recently observed using BadIIS to manipulate SEO and direct victims to illegal gambling sites.

Key Takeaways

  • Chinese threat actors were recently observed using BadIIS to manipulate SEO and direct victims to illegal gambling sites.
  • BadIIS malware, which has been active since at least 2024, targets Internet Information Services (IIS).
  • Threat actors can use BadIIS to conduct SEO fraud or to inject malicious content into a victim’s browser. 
  • A group of Chinese-speaking threat actors known as DragonRank may be responsible for the attacks

The Campaign 

Chinese threat actors were recently observed using BadIIS to manipulate SEO and direct victims to illegal gambling sites. Trend Micro reported on this activity. 

BadIIS malware has been active since at least 2024. It targets Internet Information Services (IIS), and threat actors can use it to conduct SEO fraud or to inject malicious content into a victim’s browser. This allows threat actors to engage in multiple illicit activities, including displaying unauthorized ads, distributing malware, and conducting watering hole attacks. 

In this campaign, the threat actors exploited the IIS server using unknown means then used batch files to install the BadIIS modules. BadIIS was used to direct users to illegal gambling sites or to connect them to malicious servers used for malware distribution or phishing. Verticals targeted by this activity included government, education, technology, and telecommunications. Targets were primarily located in India, Thailand, Philippines, Singapore, Taiwan, South Korea, Japan, Brazil, and Vietnam. However, Trend Micro noted it is possible for this activity to spread globally. 

According to Trend Micro, the campaign appears to be financially motivated, since users are redirected to illegal gambling websites, demonstrating that the threat actors intend to make a profit. Researchers noted strings in the malware written in simplified Chinese likely indicate the involvement of Chinese-speaking threat actors. Based on research from last September from Cisco Talos, it appears a group known as DragonRank may be responsible for the attacks. 

Who Is DragonRank?

DragonRank is a Chinese speaking threat actor group thought to be of China nexus. DragonRank TTPs include PlugX, BadIIS, SEO manipulation, exploiting vulnerabilities in application services, deploying web shells, DLL sideloading, and using Windows SEH to evade detection. They primarily target entities in Asia and Europe. Past targets include entities in the healthcare, media, technology, government, education, and telecommunications verticals. 

IOCs

PolySwarm has multiple samples associated with this activity.

 

bbf9d7dafba979ef9c1e8531a20d3bea1adcdbb628816ce8781d7eeb6292f265

33e5e5e773d1909004d4b38a0e4e3e97e46cbdb7b17f94b28fce2c9ad0a375d3

c732067b3d8763c248051366ab7beeae0d7fbe105884d4d3f8647e3427f36daf

59b416efff07208dc8b1c98a6f754e3abc14e55d71971ddc5581f6bc7ca45837

61913e0a38282a42b26aff578da17dab60ac0fbee819fa42db5497cc5cf55760

42906ac10d053eec10c05e2eeebcb06a7d6b307dc0d18083151dff3e0ac70022

65967f471440449d2f1b615ff1338b8082b0481b617eda4d9f21a9f102b98859

c75a9a104e340473b72140127f3039a08f99a334887afc100d09cffa3c4c8e24

2ec893440e04de55bc6bbe4b1db76df532aa42d3140a15dc5365ef520a1d4247

a4906b40232726948f6a5357ad0ee9445512b422ae510d2ef08bd9cf516852bd

5b497b4205427198fc922c74cad8275b4256579f8bb5a1f1dbad7151630288a0

7321d599e777088356d7549e638b6b67fc43fc5c9f0c8846ee5aa7f47e35c2eb

ed3882a77cdc372f647e647b66979525a50054a580b43499ce5a97864d772730

24aafe0a2033e2e5ca231ebca0e3c56740754a97ca1f5062305e6b30222fc0ee

e927d6ea1fdc27c0ae9eb55254bbbd4f501f14ae02e499d7d20cdd83af479b20

df75b0b8ea1f75f0039c158c89e413ed6c4352309cc2cfa282afd1857676a88c

8fee015ae0e978e39af2cd1ca74b29202e702d296c110f3a7a90dfadce28d4a6

2e20ce7bc1e653737f05c910759fd2e420fe28f77f80a6d8e7c9346809e4dce7

12e4817abc69918b8556a4f18371c803db3d5191031cb56f835ec33cdb12f0d9

a68d83fd210b8ca21370a0f38da8fc0dd20b081e69beef911060924aa708a280

fec618c4f832d8a182fc1d3b9e58a0bff1a62241a1d17108e84ed1f0c4bb7845

3b8adf88b10e0c66d97b4909a17d4436a043ded5cf29c85ead22b58917e9ac7b

 

You can use the following CLI command to search for all xx samples in our portal:

$ polyswarm link list -f BadIIS

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, China, BadIIS, SEO manipulation, DragonRank

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More