Cisco Talos Links ‘demo.pdb’ BadIIS to Chinese MaaS

Cisco Talos researchers identified a BadIIS variant marked by embedded “demo.pdb” program database paths that has been used since at least Sept. 30, 2021 to manipulate search engine indexing and redirect web traffic for profit. The analysis ties a developer handle, “lwxat,” to a dedicated builder and a set of deployment tools.

The samples examined focus on four core SEO‑fraud capabilities. The malware forces browser redirects to spam sites via injected JavaScript. It operates as a reverse proxy to serve illicit content to search engine crawlers. It hijacks site content and metadata to present malicious titles, descriptions and keywords. It adds internal and external backlinks to elevate external sites in search results.

Talos tracked active development of the toolset from Sept. 30, 2021 through Jan. 6, 2026 based on PDB path timestamps. Infections and campaign activity were observed primarily across the Asia‑Pacific region, with additional sightings in South Africa, Europe and North America.

PDB folder patterns in compiled samples include Chinese‑language folder names, date‑based versioning and build conventions. Some paths reference a possible customer alias, “x神” (xshen), and include build labels such as “兼容百度浏览器+劫持robots.txt” (compatible with Baidu browser + hijacking robots.txt) and “过诺顿” (bypass Norton). Those strings appear in multiple branches and show iterative updates aimed at functional changes, compatibility and vendor‑specific evasion.

Talos recovered a builder application used to generate configured BadIIS binaries, JavaScript redirectors and PHP backlink scripts. The builder assembles a config.txt file, injects parameters into 32‑bit and 64‑bit binaries, and obfuscates command‑and‑control addresses with a single‑byte XOR using key 0x03. The builder performs an authentication check that looks for the response string “lwxat” from a C2 server; the builder continues generating payloads even if the check fails. That handshake and the encoding routine served as fingerprints for clustering related artifacts.

Additional utilities attributed to the same author include service‑based installers, a module‑initialization dropper that packages DLLs into executables, and a two‑stage installer that registers malicious modules in IIS and installs a secondary service for recovery. Installer components dynamically read external configuration files, assemble command lines for both 32‑ and 64‑bit payloads, and obfuscate parameters with a custom Base64 scheme and, in some cases, double Base64 encoding. Deployment tools copy BadIIS binaries to active hook locations and to hidden backup directories so the malware is restored after server restarts. Researchers observed secondary components impersonating legitimate Windows services such as FaxService and AudiosService.

Attribution to the handle “lwxat” is based on multiple signals: the authentication string appears in the builder and installation tools, the builder’s config uses the same token, and several in‑the‑wild samples used the custom user‑agent string “lwxatisme” during HTTP traffic. A PDB folder labeled for “xshen” indicates the developer produced customized builds for client requests, including site‑wide hijacking by browser language.

Talos published detection signatures and indicators of compromise. ClamAV signatures and SNORT rules have been released to detect the family, and IOCs and sample details are available in the company’s GitHub repository.