| SYMBOL | COMMON_NAME | aka. SYNONYMS |
UAT-8099 is a Chinese-speaking cybercrime group primarily engaged in SEO fraud and the theft of high-value credentials, configuration files, and certificate data from vulnerable IIS servers. They utilize web shells and PowerShell to deploy the GotoHTTP tool for remote access, while also employing techniques such as DLL sideloading and RDP for persistence. The group has been observed using BadIIS variants for SEO manipulation and executing reconnaissance commands to gather system information. Additionally, they create hidden accounts and utilize VPN tools to maintain long-term access to compromised systems.
There are currently no families associated with this actor.
| 2026-01-29
⋅
Cisco Talos
⋅
Dissecting UAT-8099: New persistence mechanisms and regional focus UAT-8099 |
| 2025-10-02
⋅
Cisco Talos
⋅
UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud Cobalt Strike IISpy UAT-8099 |