Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Cisco Talos identified a BadIIS malware variant marked by embedded demo.pdb strings and linked it to a malware-as-a-service ecosystem used by multiple Chinese-speaking cybercrime actors. The malware targets Microsoft IIS servers to support SEO manipulation, malicious traffic redirection, reverse proxying for search-engine crawlers, and backlink injection. Operators can customize deployments through a modular builder that supports tailored configurations, including evasion options for specific antivirus products such as Norton. Talos observed this activity worldwide from at least September 2021 through early 2026.
Investigation
Talos examined PDB paths, builder components, and authentication logic to reconstruct the malware’s development history and operational model. Researchers found that a dedicated builder creates configuration files, JavaScript redirectors, and PHP backlink payloads, while encoding command-and-control addresses with a single-byte XOR key of 0x3. The malware authenticates to its C2 by checking for the response string lwxat and uses a custom Base64 scheme for data handling. Talos also uncovered related service installers and dropper tools that shared the same code base and design patterns.
Mitigation
ClamAV and Snort provide signature-based detections for this BadIIS family. Defenders should monitor for the custom user-agent lwxatisme and the Windows service name Winlogin, as both can serve as early warning indicators. IIS hardening should include restricting installation of unapproved services, auditing IIS module registrations, and blocking outbound traffic to known malicious infrastructure. Keeping antivirus signatures up to date with the latest BadIIS variants can further reduce exposure.
Response
If BadIIS activity is discovered, responders should isolate the affected IIS server and stop the malicious Windows service. Configuration files and PDB artifacts should be collected and reviewed to determine the exact build variant in use. Associated command-and-control domains or IP addresses should be blocked, and compromised DLLs should be removed so legitimate IIS modules can be restored. Detection updates should also be shared with trusted industry peers to improve broader defensive coverage.
graph TB %% Class definitions classDef action fill:#99ccff %% Node definitions initial_access[“<b>Technique</b> – <b>T1659 Content Injection</b><br/><b>Description</b>: Attacker injects malicious content into legitimate web resources to obtain initial access.”] class initial_access action persistence[“<b>Technique</b> – <b>T1036 Masquerading</b><br/><b>Description</b>: Modifies IIS globalModules to load malicious DLLs, disguising them as legitimate components for persistence and defense evasion.”] class persistence action defacement[“<b>Technique</b> – <b>T1491 Defacement</b><br/><b>Description</b>: Injects malicious content into web pages to alter their appearance and display attacker‑controlled messages.”] class defacement action c2[“<b>Technique</b> – <b>T1659 Content Injection</b><br/><b>Description</b>: Command and control channel where the builder authenticates using the string \”lwxat\” and retrieves configuration data.”] class c2 action execution[“<b>Technique</b> – <b>T1204.001 User Execution: Malicious Link</b><br/><b>Description</b>: Delivers malicious JavaScript redirects and PHP backlink scripts via crafted links that victims execute.”] class execution action impact_resource[“<b>Technique</b> – <b>T1496 Resource Hijacking</b><br/><b>Description</b>: Uses injected SEO fraud and backlink manipulation to steal resources and generate illicit revenue.”] class impact_resource action impact_bandwidth[“<b>Technique</b> – <b>T1496.002 Bandwidth Hijacking</b><br/><b>Description</b>: Redirects traffic through a reverse proxy to hijack bandwidth and serve search engine crawlers with malicious payloads.”] class impact_bandwidth action %% Connections showing attack flow initial_access –>|leads_to| persistence persistence –>|leads_to| defacement defacement –>|leads_to| c2 c2 –>|leads_to| execution execution –>|leads_to| impact_resource impact_resource –>|leads_to| impact_bandwidth
Attack Flow
Detections
Suspicious AppCmd Activity (via cmdline)
View
Possible Windows Service Being Added Manually To Autostart (via cmdline)
View
System Processes Execution from Untypical Paths (via process_creation)
View
Detection of BadIIS Malware with Custom User-Agent [Proxy]
View
BadIIS PDB Path Detection [Windows File Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique designed to trigger the detection rule. The commands and narrative directly produce the telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker who has gained limited user rights copies a malicious DLL bundle onto the compromised host. The bundle includes three PDB files placed in locations historically used by BadIIS samples. By creating these files, the attacker leaves a forensic artifact that the Sigma rule watches for. The attacker uses standardCopy-Item(PowerShell) to drop the files, avoiding any additional tool signatures. -
Regression Test Script:
# BadIIS PDB Path Simulation – triggers the Sigma rule $paths = @( "C:UsersAdministratorDesktop2021-09-30x64Releasedemo.pdb", "C:UsersAdministratorDesktopdll-no503Releasedemo.pdb", "C:UsersAdministratorDesktop兼容百度浏览器+劫持robots.txtx64Releasedemo.pdb" ) foreach ($p in $paths) { $dir = Split-Path $p -Parent if (-not (Test-Path $dir)) { New-Item -Path $dir -ItemType Directory -Force | Out-Null } New-Item -Path $p -ItemType File -Force | Out-Null } Write-Host "BadIIS PDB files created – detection should fire." -
Cleanup Commands:
# Remove the simulated BadIIS PDB files and directories $paths = @( "C:UsersAdministratorDesktop2021-09-30", "C:UsersAdministratorDesktopdll-no503", "C:UsersAdministratorDesktop兼容百度浏览器+劫持robots.txt" ) foreach ($base in $paths) { if (Test-Path $base) { Remove-Item -Path $base -Recurse -Force } } Write-Host "Cleanup complete."