BadIIS demo.pdb toolkit linked to lwxat sold as MaaS

Cisco Talos reported a BadIIS toolkit identifiable by embedded demo.pdb strings and linked to an author using the handle lwxat. The toolkit is being sold or shared as malware-as-a-service and has been used by Chinese-speaking cybercrime groups for search-engine optimization fraud, content hijacking and reverse proxy operations.

Talos analysts tied artifacts to development activity from at least September 2021 through January 6, 2026. Investigations of attacks using the demo.pdb variant began in 2024. Incidents were observed across the Asia-Pacific region with additional detections in South Africa, Europe and North America.

Researchers recovered a builder application that generates ready-to-deploy BadIIS binaries and supporting files. The builder produces configuration files, JavaScript redirectors and PHP backlink scripts, and injects parameters into 32-bit and 64-bit BadIIS payloads that operators stage alongside the builder. The recovered builder bears a version label of 1.0 and shows a compilation timestamp from August 22, 2022; later samples include a January 6, 2026 compilation.

The builder workflow creates a config.txt and attempts to authenticate with a command-and-control server by checking for the response string ‘lwxat’; the build process continues even if that check fails. Command-and-control addresses are obfuscated with a single-byte XOR using key 0x3 before embedding in the final binary. Several samples were observed using the custom user-agent string lwxatisme during HTTP communications.

Program database paths and folder names recovered from samples reveal repeated versioning and feature branching. Folder names include Chinese labels such as 过诺顿 (bypass Norton) and 兼容百度浏览器+劫持robots.txt (compatible with Baidu browser + hijack robots.txt). One development folder references a client alias x神 and includes a build for full-site hijacking that redirects visitors based on browser language. Other branches address IIS 503 Service Unavailable errors and show a 2024 branch focused on network handling, possibly introducing raw TCP proxying.

Talos also identified auxiliary tools that share the same indicators. Those tools include service-based installers that impersonate system services like Winlogin and later drop secondary components registered as FaxService or AudiosService, a configuration-driven installer that reads an external config file and assembles commands to register malicious IIS modules, and a module-initialization dropper that packages BadIIS DLLs into executable resources named IIS32 and IIS64. The toolset uses custom Base64 encoding, including double Base64, copies payloads to active and hidden backup locations, and registers modules in IIS for persistence across restarts.

Cisco Talos published indicators of compromise and detection signatures on GitHub. ClamAV signatures listed include Win.Malware.BadIIS-10059971-0, Win.Malware.BadIIS-10059977-0, Win.Malware.BadIIS-10059984-0 and Win.Malware.BadIIS-10059985-0. Snort detection IDs include Snort2 SIDs 1:66400, 1:66399, 1:66398 and Snort3 SIDs 1:66400 and 1:301491.

Talos’ timeline and recovered code artifacts document repeated updates and targeted evasion attempts against security products, including explicit efforts to bypass specific antivirus detections.