editorially independent. We may make money when you click on links
to our partners.
Learn More
More than 1,800 Windows servers have been quietly compromised in a sprawling malware campaign that turns legitimate websites into tools for search engine manipulation.
The operation leverages a sophisticated strain known as BADIIS to infect Microsoft Internet Information Services (IIS) environments, allowing threat actors to monetize trusted infrastructure without disrupting normal operations.
We found “… large-scale SEO poisoning campaigns targeting IIS servers with BADIIS malware globally, impacting over 1,800 Windows servers,” said Elastic researchers.
Inside the BADIIS Campaign
The campaign has impacted a broad cross-section of organizations, including government agencies, educational institutions, and financial services firms.
Unlike traditional attacks that deface websites, deploy ransomware, or steal sensitive data, this operation is designed for quiet monetization.
Instead of interrupting services, attackers leverage compromised servers to manipulate search engine rankings.
According to Elastic’s analysis, the malware enables large-scale SEO poisoning campaigns that promote illicit gambling platforms and fraudulent cryptocurrency sites.
By abusing the authority of legitimate domains, threat actors can boost the visibility of malicious content in search results while avoiding the operational noise that triggers a response.
How BADIIS Embeds Into IIS
A key factor in the campaign’s effectiveness is the design of the BADIIS malware itself. Rather than executing as a standalone malicious process, BADIIS is implemented as a native IIS module.
This allows it to embed directly into the IIS worker process, where it operates as part of the web server’s core functionality.
Running inside a legitimate and trusted process provides both persistence and camouflage, making the activity harder to distinguish from normal server operations.
Once installed, the malware intercepts and evaluates HTTP traffic in real time.
It examines incoming requests and inspects HTTP headers, specifically looking for User-Agent strings associated with search engine crawlers.
When a crawler is identified, BADIIS dynamically injects SEO keywords and backlinks into the server’s response.
These injected elements artificially inflate the ranking of attacker-controlled websites, effectively turning compromised servers into ranking amplifiers for fraudulent platforms.
Cloaking and Evasion Techniques
For regular visitors or system administrators, however, the server behaves normally.
If the request does not match crawler characteristics, the malware delivers the original, unaltered content.
This split-view technique — referred to as cloaking — ensures that malicious modifications remain invisible to human operators.
Administrators reviewing their sites may see no anomalies, while search engines quietly index manipulated pages designed to redirect traffic or boost malicious domains.
BADIIS further strengthens its stealth capabilities by leveraging direct system calls to evade endpoint detection and response (EDR) hooks.
By bypassing common monitoring mechanisms used by security tools, the malware reduces the likelihood of behavioral detection.
Because it operates within a legitimate server process and avoids spawning suspicious child processes, many traditional security controls may not immediately flag its presence.
The campaign illustrates how exposed or unpatched IIS environments can be exploited to establish long-term persistence.
Hardening IIS Environments
Protecting IIS environments from threats like BADIIS requires more than basic patching and perimeter defenses.
Because some malware can integrate directly into legitimate server processes and operate without obvious disruption, organizations should adopt a layered security approach.
This includes maintaining strong configuration management practices, monitoring server behavior for anomalies, enforcing strict access controls, and applying appropriate network restrictions to reduce the potential impact of compromise.
- Regularly audit IIS modules and configurations to identify unsigned, unfamiliar, or unauthorized components, and implement application allowlisting to prevent malicious modules from loading.
- Keep all Windows Server and IIS systems fully patched, remove unnecessary features or modules, and harden configurations to reduce overall attack surface.
- Monitor IIS worker processes for unusual behavior, including unexpected DLL loads, anomalous outbound connections, abnormal HTTP responses, or suspicious system call patterns.
- Deploy file integrity monitoring on IIS configuration files and critical system paths to detect unauthorized changes that may indicate persistence mechanisms.
- Restrict and secure administrative access with MFA, least privilege, and just-in-time access controls, while disabling legacy authentication protocols where possible.
- Segment web servers from sensitive internal systems and restrict outbound internet access to only approved destinations to limit lateral movement and monetization activity.
- Regularly test incident response plans through tabletop exercises that include web server compromise and SEO poisoning scenarios.
These steps help limit lateral movement, reduce the potential blast radius of a compromise, and strengthen organizational resilience against web server threats.
Silent IIS Server Compromise
The BADIIS campaign highlights that not all server compromises result in outages or obvious signs of intrusion.
By embedding directly into trusted IIS processes and manipulating search engine traffic behind the scenes, attackers can quietly monetize legitimate infrastructure for extended periods of time.
Organizations running public-facing Windows servers should maintain visibility into core web components, enforce strong configuration management, and regularly validate security controls to limit exposure.
As threats continue to bypass traditional perimeter defenses, organizations are leveraging zero-trust solutions to reduce implicit trust and strengthen protection across critical systems.
