Operation Rewrite: Hackers Hijacking IIS Servers with BadIIS Module

Introduction

In March 2025, Palo Alto Networks Unit 42 uncovered Operation Rewrite, a sophisticated SEO poisoning campaign targeting Microsoft Internet Information Services (IIS) servers worldwide. The attackers, tracked as CL-UNK-1037 and believed to be Chinese-speaking threat actors, deploy a malicious IIS extension called BadIIS to silently hijack legitimate websites. Once embedded, BadIIS manipulates search engine results, luring victims to gambling scams, adult content, and fraudulent financial services while leaving the compromised site’s normal appearance intact.

The BadIIS Module

BadIIS is a native IIS module that integrates directly into the web server’s request-processing pipeline. Unlike simple web shells, it runs with full IIS privileges and can intercept, rewrite, and redirect HTTP traffic in real time.

Core Capabilities

• Module Registration: Uses RegisterModule and SetRequestNotifications to hook key IIS events.

• Traffic Interception: Handlers such as OnBeginRequest and OnSendResponse allow it to inspect or modify every HTTP request and response.

• Hidden Logic: A code object named “chongxiede” (Chinese Pinyin for rewrite) contains the core malicious functions.

• Encrypted Configuration: Stores keyword lists and command-and-control (C2) domains inside the DLL’s data section, XOR-decrypted at runtime.

These features give attackers the ability to manipulate search engine indexing, poison search results, and serve tailored payloads to real users.

---

Two-Phase Attack Methodology

Phase 1 – Poisoned Lure (SEO Manipulation)

• Search Engine Detection: BadIIS checks User-Agent headers to identify crawler traffic.

• C2 Communication: Contacts primary C2 servers (e.g., 404.008php[.]com) to fetch SEO-optimized HTML.

• Keyword Injection: Injects spammy, keyword-stuffed pages to boost rankings for gambling and scam sites.

• Index Pollution: Search engines like Google, Bing, and Vietnamese Cốc Cốc index the poisoned pages, boosting their visibility.

Phase 2 – Victim Redirection

• Human Visitor Detection: Analyzes Referer headers to distinguish real users arriving from search results.

• Payload Retrieval: Contacts C2 infrastructure to obtain redirect instructions.

• Seamless Redirect: Silently forwards victims to scam websites while displaying legitimate content to others, making detection difficult.

Advanced Variants

Operation Rewrite employs multiple BadIIS variants for flexibility and redundancy:

1. ASP.NET Gateway Handler – Uses Page_Load events to detect search engine traffic and proxy malicious content.

2. Managed .NET IIS Module – Hijacks 404 errors to inject spam links dynamically.

3. All-in-One PHP Script – Generates fake sitemaps and keyword pages for Googlebot while redirecting mobile traffic.

This modular design allows attackers to compromise a wide range of server configurations and persist even if one component is removed.

Command and Control Infrastructure

Researchers identified an extensive C2 network controlling the campaign.

Key Domains and IPs

• 404.008php[.]com – Primary coordination server.

• 404.yyphw[.]com, 404.300bt[.]com – Backup control servers.

• 103.6.235[.]26 – Direct IP communication.

Notable URL Patterns

• /zz/u.php – Command execution endpoint.

• /kt.html – Content delivery channel.

• /vn.html – Payloads targeting Vietnamese traffic.

All communication uses plain HTTP with simple XOR encryption, allowing stealthy but lightweight operations.

Attribution to CL-UNK-1037

Palo Alto Networks attributes Operation Rewrite to Chinese-speaking threat actors with moderate confidence.

Supporting Evidence

• Code Artifacts: Chinese-language comments and the “chongxiede” object name.

• Infrastructure Patterns: Overlaps with Group 9 and the DragonRank SEO poisoning campaign.

• Regional Expertise: Specific focus on Vietnamese search engines and localized keywords.

While financial gain remains the primary motive, the group’s advanced tradecraft suggests potential links to state-sponsored operations or information warfare.

Global Impact and Target Sectors

Operation Rewrite has compromised hundreds of IIS servers across multiple continents.

Primary Regions

• Vietnam – Core focus, targeting local search engines and gambling markets.

• India, Thailand, Philippines, Singapore, Taiwan – Regional spillover.

• South Korea, Japan, Brazil – Extended global reach.

Victimized Sectors

• Government Agencies – Risk of public service disruption and disinformation.

• Universities & Research Institutions – Exposure of academic data and reputational damage.

• Technology & Telecom Providers – Potential lateral movement into core infrastructure.

• Financial Services – Credential theft and fraudulent referral monetization.

Operational Security and Persistence

BadIIS operators demonstrate meticulous planning:

• Legitimate Server Exploitation: Leverages trusted, high-reputation domains to evade blacklists.

• Conditional Execution: Activates malicious functions only for specific traffic patterns.

• Multi-Server Pivoting: Moves laterally across production servers and domain controllers.

• Redundant Variants: Deploys native modules, managed .NET modules, and PHP scripts to survive partial cleanup.

---

Indicators of Compromise (IOCs)

Sample File Hashes (SHA-256)

• 01a616e25f1ac661a7a9c244fd31736188ceb5fce8c1a5738e807fdbef70fd60

• bc3bba91572379e81919b9e4d2cbe3b0aa658a97af116e2385b99b610c22c08c

Network Indicators

• hxxp://404.008php[.]com/zz/u.php

• hxxp://103.6.235[.]26/xvn.html

• hxxps://sl.008php[.]com/kt.html

Security teams should monitor for suspicious module installations (eventSubId:105), abnormal HTTP response patterns, and crawler impersonation.

Defensive Recommendations

Immediate Actions

1. Patch Management – Apply all IIS and Windows Server updates.

2. Module Auditing – Review installed IIS modules for unauthorized entries.

3. Access Controls – Enforce multi-factor authentication and restrict administrative privileges.

4. Network Segmentation – Isolate IIS servers from critical internal systems.

Monitoring Enhancements

• Continuous log analysis of IIS access/error logs.

• Deep packet inspection for unusual HTTP traffic.

• File integrity monitoring to detect unauthorized DLL modifications.

Long-Term Strategies

• Adopt a Zero Trust Architecture with continuous verification.

• Implement behavioral baselines to detect anomalies in search engine traffic.

• Integrate threat intelligence feeds specific to web server compromises.

Industry Implications

Operation Rewrite exposes a thriving black-hat SEO manipulation economy. By weaponizing high-reputation websites, attackers can:

• Pollute search engine indexes, eroding user trust.

• Monetize traffic via gambling and adult content redirections.

• Undermine critical infrastructure, including government and telecom services.

This campaign highlights the urgent need for web server–specific defenses, beyond traditional endpoint and network security.

Conclusion

The BadIIS campaign demonstrates how threat actors can transform trusted web infrastructure into a global SEO weapon. With its dual-phase strategy—poisoning search engines and redirecting real users—Operation Rewrite combines financial fraud with advanced technical stealth. Organizations running IIS must treat web servers as high-value attack surfaces, implementing strict patching, continuous monitoring, and rapid incident response. Failure to do so risks not only brand damage but also the silent exploitation of digital ecosystems worldwide.