BadIIS MaaS Hijacks Microsoft IIS Servers, Talos Warns

Cisco Talos reports a BadIIS malware variant identified by the embedded ‘demo.pdb’ string is being sold as malware-as-a-service to Chinese-language cybercrime groups. Operators use the package to hijack Microsoft Internet Information Services (IIS) servers, alter hosted content and redirect visitor traffic to monetized or illicit destinations.

Talos’ analysis says the toolset includes builder utilities, persistence mechanisms and anti-detection features developed over several years. The malware author issues frequent updates to add capabilities and to evade specific security products. The package is available commercially, which reduces the technical skill required to deploy large-scale attacks against IIS hosts.

In observed campaigns, operators modify server responses and inject silent redirects that funnel visitors to affiliate networks or fraud pages. The activity also includes manipulation of search engine results and use of reverse proxying to conceal redirection chains. Multiple unrelated actors can access identical or slightly modified versions of the same package and deploy them across different targets.

Talos recommends defenders concentrate hunting and monitoring on IIS environments. Teams should look for unexpected outbound redirects, evidence of reverse proxying on servers that should not proxy traffic, and sudden spikes in “503 Service Unavailable” responses. Investigators are advised to search binaries and file systems for the ‘demo.pdb’ string and Chinese-language folder paths associated with the malware. Talos provided indicators of compromise and file hashes for integration into defensive platforms.

The report notes that current malware-as-a-service ecosystems commonly offer builders, control panels and support channels that let lower-skill actors run campaigns that once required specialized development. In this case, the BadIIS package pairs multi-year development with active support from its author, making the tool broadly usable by multiple criminal groups.

“Because this BadIIS variant is sold as a commodity tool, it lowers the barrier to entry for cybercriminals, leading to widespread attacks that silently hijack server traffic without triggering obvious alarms,” Talos wrote. The company urged organizations running IIS to audit exposed servers for unauthorized content changes, review proxy configurations and update endpoint detection tools to catch recent evasion techniques.