From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat

Talos describes a sustained, actively maintained BadIIS malware variant (marked by "demo.pdb" PDB paths) used in global SEO-fraud campaigns against IIS web servers; the report details a modular builder, service-based installers and droppers, persistence and evasion techniques, PDB-derived attribution to the developer alias "lwxat" (and a client "xshen"), multi-year development (2021–2026), and includes IOCs and detection signatures.