BADIIS to the Bone: New Insights to a Global SEO Poisoning Campaign

Elastic Security Labs observed a large, coordinated REF4033 (UAT-8099) SEO-poisoning campaign that installs BADIIS IIS native modules on Windows web servers—over 1,800 infected globally—to serve keyword-stuffed content to crawlers and redirect real users to gambling, pornography, and cryptocurrency phishing sites; the report documents the attack chain (CbsMsgApi.exe/.dll service persistence, module staging, configuration endpoints), infrastructure and IoCs, and detection/remediation notes.