BadIIS Malware Hijacks IIS Servers, Redirecting to Il

BadIIS malware has emerged as a significant threat, actively targeting Internet Information Services (IIS) web servers. This malicious software quietly hijacks compromised servers, subsequently redirecting unsuspecting visitors to a range of illicit online destinations, including illegal gambling sites and adult content platforms. For a deeper understanding of this malware’s operations, a

BadIIS works by planting a malicious module inside the IIS server software that runs quietly in the background. Once installed, it intercepts web traffic flowing through the compromised server and silently reroutes visitors without them knowing.

The server continues to look normal from the outside, making detection far more difficult for administrators and security teams.

Researchers at Cisco Talos identified a specific BadIIS variant distinguishable by embedded “demo.pdb” strings, which revealed that the malware functions as a commodity tool likely sold or shared across multiple Chinese-speaking cybercrime groups.

According to a report shared with Cyber Security News (CSN), Cisco Talos assessed with moderate confidence that this variant operates under a Malware-as-a-Service (MaaS) model, enabling continuous monetization by the developer.

The investigation revealed that the malware has been in active development since at least September 2021, with the latest compiled sample dating to January 6, 2026.

Rapid iterative updates, feature branching, and reactive evasion tactics targeting specific security vendors like Norton confirmed the tool remains under active maintenance.

Talos also observed attacks across the Asia-Pacific region, South Africa, Europe, and North America, demonstrating how far the campaign has spread.

The attacker behind the campaign operates under the alias “lwxat,” a handle embedded throughout the builder tool, authentication mechanisms, and even in live HTTP user-agent strings during active malware communications.

PDB path artifacts further pointed to a customized build tailored for a specific client, indicating this BadIIS variant was purpose-built for certain customers and reinforcing the MaaS business model.

BadIIS Malware Turns Hijacks IIS Servers

The core functionality of BadIIS centers on a dedicated builder tool that threat actors use to generate custom configuration files, JavaScript redirectors, and PHP backlink scripts, then inject those parameters directly into BadIIS binaries.

The builder offers four main capabilities: traffic redirection to illicit sites, reverse proxying for search engine crawler manipulation, full content hijacking of the compromised website, and internal and external backlink injection for malicious SEO fraud.

Custom site hijacking version that redirects users based on browser language (Source – Cisco Talos)

Traffic redirection is handled by injecting JavaScript-based redirectors into the victim’s browser session, forcibly sending legitimate users to spam infrastructure such as illegal gambling platforms and adult content websites.

For search engine crawlers, BadIIS acts as a reverse proxy, fetching illicit content from the attacker’s command-and-control backend and serving it as though it belongs to the legitimate website.

The content hijacking feature even allows threat actors to configure what percentage of traffic gets affected and dynamically pull malicious title, description, and keyword metadata from a remote URL.

A MaaS Ecosystem Built for Scale

Beyond the core BadIIS binary, Cisco Talos discovered a full suite of auxiliary tools developed by the same author, including service-based installers, dropper components, and persistence mechanisms.

These tools ensure that BadIIS automatically revives itself every time the compromised IIS server restarts, making manual cleanup far more difficult.

The malware uses custom Base64 encoding and single-byte XOR obfuscation to conceal command-and-control server addresses from security scanners.

Installation workflow (Source – Cisco Talos)

One of the persistence tools impersonates legitimate Windows services such as FaxService or AudiosService to avoid raising suspicion during routine security checks.

Another tool acts as a module initialization dropper, packaging the malicious DLL payloads within a standalone executable labeled “IIS32” and “IIS64” inside its resources.

Together, these components form a modular, scalable ecosystem designed for sustained access and continuous revenue.

Server administrators are strongly advised to regularly audit installed IIS modules and review the IIS server’s applicationHost.config file for unknown or unauthorized entries.

Monitoring for unexpected outbound connections from web servers and keeping security products updated to detect BadIIS-specific signatures will also help reduce exposure to this threat.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.