Full Report
Cisco Talos has uncovered a BadIIS variant — identifiable by its embedded "demo.pdb" strings — that functions as commodity malware, likely sold or shared among multiple Chinese-speaking cyber crime groups operating under a malware-as-a-service (MaaS) model for continuous monetization.
Analysis Summary
# Threat Actor: lwxat (Author/Developer)
## Attribution & Identity
* **Primary Identity:** **lwxat** (confirmed via hardcoded authentication strings in builder tools, configuration parameters, and custom user-agent strings).
* **Aliases/Handles:** "lwxatisme" (User-Agent string).
* **Associated Groups/Clients:** Operates under a **Malware-as-a-Service (MaaS)** model. Notable clients or customers include an entity aliased as **"x神" (xshen)**.
* **Origin:** Highly likely Chinese-speaking, based on Chinese-language folder names in PDB paths (e.g., "过诺顿", "兼容百度浏览器") and targeting of the Baidu search engine ecosystem.
## Activity Summary
The actor has maintained a sustained, multi-year development effort from at least September 2021 through January 2026. They specialize in developing and selling variants of **BadIIS**, a malicious IIS (Internet Information Services) helper module. Recent activity (2024–2026) involves the distribution of a "demo.pdb" variant used for large-scale SEO fraud and traffic redirection across the Asia-Pacific region and other global targets.
## Tactics, Techniques & Procedures
* **Malicious SEO (Search Engine Poisoning):** Hijacking `robots.txt`, backlink injection, and manipulating search engine crawlers.
* **Traffic Manipulation:** Reverse proxying and conditional redirection based on victim browser language or environment.
* **Evasion Tactics:**
* Specific builds designed to "Bypass Norton" (过诺顿).
* Custom Base64 encoding and obfuscation.
* Troubleshooting builds (e.g., "dll-no503") to prevent IIS 503 errors that would alert administrators.
* **Persistence:** Use of service-based installers and droppers to ensure survival across IIS server restarts.
* **C2/Communication:** Use of custom User-Agent strings (e.g., `lwxatisme`) and Shift/Enhancement of network traffic over raw TCP (2024-05-05-tcp branch).
**MITRE ATT&CK IDs:**
* T1505.003: Server Software Component: IIS Modules
* T1071.001: Application Layer Protocol: Web Protocols
* T1568: Dynamic Resolution (SEO Fraud/Redirection)
* T1037: Boot or Logon Initialization Scripts (Persistence)
## Targeting
* **Sectors:** Organizations running Microsoft IIS web servers; specifically those involved in or susceptible to SEO-related fraud.
* **Geography:** Primarily **Asia-Pacific (APAC)**. Additional observed activity in South Africa, Europe, and North America.
* **Victims:** Unnamed organizations globally running vulnerable or compromised IIS servers.
## Tools & Infrastructure
* **Malware Families:** **BadIIS** (specifically the "demo.pdb" variant).
* **Auxiliary Tools:** Comprehensive suite including a dedicated **Builder Tool**, service installers, and droppers.
* **Infrastructure Indicators:**
* Internal PDB paths: `Administrator\Desktop\...`
* Custom User-Agent: `lwxatisme`
* Versioned DLLs: `dll0217`, `dll0301`, `dll20260106`
## Implications
The transition of BadIIS into a professionalized MaaS model lowers the barrier to entry for lower-tier Chinese-speaking cybercrime groups. The developer's rapid response to security vendor detections (e.g., Norton) and server errors (503 Service Unavailable) indicates a sophisticated, customer-centric development lifecycle aimed at maintaining long-term persistence on victim web servers for continuous monetization.
## Mitigations
* **IIS Security:** Audit installed IIS modules regularly; remove any unauthorized or suspicious `.dll` files mapped in IIS Manager.
* **File Integrity Monitoring (FIM):** Monitor for changes in the IIS configuration files and the `C:\Windows\System32\inetsrv\` directory.
* **Network Defense:** Implement Snort/ClamAV signatures specifically targeting the "lwxat" toolset (SIDs: 1:66400, 1:66399, 1:66398).
* **Visibility:** Monitor web server logs for unusual User-Agent strings (e.g., `lwxatisme`) and unexpected traffic redirection patterns or `robots.txt` modifications.