Cisco Talos Links BadIIS demo.pdb Builder to Chinese MaaS

Cisco Talos recovered a builder and linked a BadIIS variant identified by embedded “demo.pdb” strings to Chinese-language malware-as-a-service operators. The components were used on compromised Microsoft IIS servers to run search engine optimization fraud, redirect users and hijack site content.

Analysis of program database (PDB) file paths and compilation timestamps shows development activity from at least Sept. 30, 2021 through Jan. 6, 2026. The author alias “lwxat” appears in multiple artifacts and a custom user-agent “lwxatisme” appears in live samples. Researchers observed campaigns using this tooling across the Asia-Pacific region and in smaller numbers in South Africa, Europe and North America, mainly since 2024.

Talos recovered a dedicated builder application that generates configuration files, payloads and JavaScript or PHP redirectors and injects parameters into BadIIS binaries. Operators must stage 32-bit and 64-bit BadIIS binaries alongside the builder; the tool then produces a config.txt and embeds settings into the final DLLs. The builder obfuscates command-and-control addresses with a single-byte XOR using key 0x3 and attempts to authenticate with a C2 server by checking for the response string “lwxat”.

The builder supports four primary functions: injecting JavaScript redirects to send legitimate visitors to spam or illicit sites; acting as a reverse proxy to serve malicious content to search engine crawlers; replacing on-site content with configurable injection rates and remote metadata for titles, descriptions and keywords; and inserting internal links and external backlinks to move domain authority to target pages.

Talos linked several supporting installers, droppers and persistence utilities to the same author through matching PDB patterns and the “lwxat” authentication marker. Observed installers register malicious modules as Windows services using names such as Winlogin, FaxService or AudiosService. Other tools parse XML-style config files to register DLLs in IIS global modules, and a module-initialization dropper contains IIS32 and IIS64 DLLs embedded in its resources. Some components use custom Base64 obfuscation or double Base64 encoding to hide command lines and server addresses.

PDB paths include Chinese folder names and date-based versioning that indicate feature branching and reactive updates. Examples in the paths include “兼容百度浏览器+劫持robots.txt” (compatible with Baidu browser and hijacking robots.txt), builds labeled “过诺顿” (bypass Norton), and a “dll-no503” branch likely created to avoid triggering IIS 503 Service Unavailable errors.

Cisco Talos published indicators of compromise and detection guidance and placed IOCs in a public GitHub repository. Published ClamAV signatures include Win.Malware.BadIIS-10059971-0, Win.Malware.BadIIS-10059977-0, Win.Malware.BadIIS-10059984-0 and Win.Malware.BadIIS-10059985-0. Snort detection SIDs listed include Snort2: 1:66400, 1:66399, 1:66398 and Snort3: 1:66400, 1:301491.

BadIIS is malware that targets Microsoft IIS by installing malicious modules or DLLs to intercept web traffic and alter server responses. In the observed campaigns, attackers use compromised servers to redirect users, serve spam or illegal content to search engine crawlers and inject backlinks that transfer domain reputation to external sites.