BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites
Cybersecurity NewsArchived May 21, 2026✓ Full text saved
A dangerous piece of malware known as BadIIS has been actively targeting Internet Information Services (IIS) web servers, quietly hijacking them and redirecting unsuspecting visitors to illegal gambling sites, adult content platforms, and other illicit destinations. The attacks have been going on for years across the Asia-Pacific region and beyond, placing thousands of legitimate websites […] The post BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites appeared first on
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites
By Tushar Subhra Dutta
May 21, 2026
A dangerous piece of malware known as BadIIS has been actively targeting Internet Information Services (IIS) web servers, quietly hijacking them and redirecting unsuspecting visitors to illegal gambling sites, adult content platforms, and other illicit destinations.
The attacks have been going on for years across the Asia-Pacific region and beyond, placing thousands of legitimate websites and their users at serious risk.
BadIIS works by planting a malicious module inside the IIS server software that runs quietly in the background. Once installed, it intercepts web traffic flowing through the compromised server and silently reroutes visitors without them knowing.
The server continues to look normal from the outside, making detection far more difficult for administrators and security teams.
Researchers at Cisco Talos identified a specific BadIIS variant distinguishable by embedded “demo.pdb” strings, which revealed that the malware functions as a commodity tool likely sold or shared across multiple Chinese-speaking cybercrime groups.
According to a report shared with Cyber Security News (CSN), Cisco Talos assessed with moderate confidence that this variant operates under a Malware-as-a-Service (MaaS) model, enabling continuous monetization by the developer.
The investigation revealed that the malware has been in active development since at least September 2021, with the latest compiled sample dating to January 6, 2026.
Rapid iterative updates, feature branching, and reactive evasion tactics targeting specific security vendors like Norton confirmed the tool remains under active maintenance.
Talos also observed attacks across the Asia-Pacific region, South Africa, Europe, and North America, demonstrating how far the campaign has spread.
The attacker behind the campaign operates under the alias “lwxat,” a handle embedded throughout the builder tool, authentication mechanisms, and even in live HTTP user-agent strings during active malware communications.
PDB path artifacts further pointed to a customized build tailored for a specific client, indicating this BadIIS variant was purpose-built for certain customers and reinforcing the MaaS business model.
BadIIS Malware Turns Hijacks IIS Servers
The core functionality of BadIIS centers on a dedicated builder tool that threat actors use to generate custom configuration files, JavaScript redirectors, and PHP backlink scripts, then inject those parameters directly into BadIIS binaries.
The builder offers four main capabilities: traffic redirection to illicit sites, reverse proxying for search engine crawler manipulation, full content hijacking of the compromised website, and internal and external backlink injection for malicious SEO fraud.
Custom site hijacking version that redirects users based on browser language (Source – Cisco Talos)
Traffic redirection is handled by injecting JavaScript-based redirectors into the victim’s browser session, forcibly sending legitimate users to spam infrastructure such as illegal gambling platforms and adult content websites.
For search engine crawlers, BadIIS acts as a reverse proxy, fetching illicit content from the attacker’s command-and-control backend and serving it as though it belongs to the legitimate website.
Builder workflow (Source – Cisco Talos)
The content hijacking feature even allows threat actors to configure what percentage of traffic gets affected and dynamically pull malicious title, description, and keyword metadata from a remote URL.
A MaaS Ecosystem Built for Scale
Beyond the core BadIIS binary, Cisco Talos discovered a full suite of auxiliary tools developed by the same author, including service-based installers, dropper components, and persistence mechanisms.
These tools ensure that BadIIS automatically revives itself every time the compromised IIS server restarts, making manual cleanup far more difficult.
The malware uses custom Base64 encoding and single-byte XOR obfuscation to conceal command-and-control server addresses from security scanners.
Installation workflow (Source – Cisco Talos)
One of the persistence tools impersonates legitimate Windows services such as FaxService or AudiosService to avoid raising suspicion during routine security checks.
Another tool acts as a module initialization dropper, packaging the malicious DLL payloads within a standalone executable labeled “IIS32” and “IIS64” inside its resources.
Together, these components form a modular, scalable ecosystem designed for sustained access and continuous revenue.
Server administrators are strongly advised to regularly audit installed IIS modules and review the IIS server’s applicationHost.config file for unknown or unauthorized entries.
Monitoring for unexpected outbound connections from web servers and keeping security products updated to detect BadIIS-specific signatures will also help reduce exposure to this threat.
Indicators of Compromise (IoCs):-
Type Indicator Description
Malware Signature Win.Malware.BadIIS-10069981-0 ClamAV signature detecting BadIIS threat
Malware Signature Win.Malware.BadIIS-10069988-0 ClamAV signature detecting BadIIS threat
Malware Signature Win.Malware.BadIIS-10069984-0 ClamAV signature detecting BadIIS threat
Malware Signature Win.Malware.BadIIS-10069985-0 ClamAV signature detecting BadIIS threat
SNORT Rule (SID) 1:66400, 1:66439, 1:66438 Snort2 rules detecting and blocking BadIIS traffic
SNORT Rule (SID) 1:66400, 1:301498-1 Snort3 rules detecting and blocking BadIIS traffic
PDB String demo.pdb Embedded string identifying the BadIIS MaaS variant
PDB String / Actor Alias lwxat Threat actor alias embedded in builder, config, and HTTP user-agent strings
File Name IIS32 / IIS64 BadIIS DLL payloads named inside dropper resource
File Name config.txt Configuration file read by BadIIS service installer
File Name module.txt Staging file used to temporarily store IIS modules list
Windows Service Name Winlogin Fake Windows service name used for persistence by installer tool
User-Agent String lwxatisme Custom HTTP user-agent string used during C2 communications
Builder Artifact “demo.pdb” folder path pattern C:\Users\Administrator\Desktop\ build paths revealing developer environment
Folder Name dll-no904 Troubleshooting build directory identified in PDB paths
Config Tag lw\xat (xshen alias) PDB path string referencing client-customized build for “xshen”
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Hackers Actively Exploiting Critical NGINX RCE Vulnerability in the Wild
FreePBX Vulnerability Allow Attackers to Gain Access to User Portals
Hackers Use Single-Letter Go Module Typosquat to Deploy DNS-Based Backdoor
New Malware Framework Enables Screen Control, Browser Artifact Access, and UAC Bypass
GitHub Internal Repositories Breached Via Weaponized VS Code Extension
Latest News
Cyber Security News
Nine-year-old Linux Kernel Vulnerability Let Attackers Exfiltrate SSH Private Keys
Cyber Security
New Microsoft Defender 0‑Days Actively Exploited in the Wild
Cyber Security News
Critical Cisco Secure Workload Vulnerability Enables Unauthorized API Access
Cyber Security News
Critical Drupal Core Security Vulnerability Exposes Websites to Cyberattack
Cyber Security News
New NGINX 0-Day RCE “nginx-poolslip” Affects Millions of NGINX Servers