Contact us
Contact us

News

About

Home Crypto News Talos finds BadIIS malware sold to Chinese cyber groups

Talos finds BadIIS malware sold to Chinese cyber groups

Author Whitewallet Research
Posted: 21 May 2026, 18:12 CET 2 min read

Cisco Talos found a BadIIS variant with embedded “demo.pdb” strings being sold as malware-as-a-service to Chinese-language cybercrime groups to hijack IIS servers and redirect web traffic.

In a May 21, 2026 report, Cisco Talos identified a BadIIS malware variant flagged by embedded “demo.pdb” strings. The report says the tool is sold as malware-as-a-service to Chinese-language cybercrime groups to hijack Microsoft Internet Information Services (IIS) servers and redirect web traffic to attacker-controlled pages used for search engine optimization fraud and other scams.

The report describes a toolset developed over several years that includes builder utilities and persistence mechanisms. Less-skilled operators use the kit to modify server content, inject redirects, and proxy traffic so victims and search engines are routed to attacker pages.

Talos identified distinct artifacts that can serve as indicators of compromise, notably the “demo.pdb” string and Chinese-language folder paths inside modified IIS binaries. The toolset supports automated deployment and has been updated repeatedly by its author to add features and evade specific security products, according to the report.

Because the variant is packaged and sold commercially, it lowers the barrier to entry for cybercriminals and enables a wider range of actors to perform SEO fraud, traffic siphoning and server hijacks without advanced skills. Compromised servers often continue to serve legitimate content while diverting a portion of traffic to illicit destinations.

The report recommends that defenders monitor IIS environments for unauthorized content changes, unexpected reverse proxy behavior, and unexplained spikes in “503 Service Unavailable” responses that can indicate proxying issues. Investigations should include searching binaries for the “demo.pdb” string and any Chinese-language folder paths linked to the toolset, updating endpoint detection and response signatures, and applying vendor patches that address known evasion techniques.

Talos published a technical writeup and indicators of compromise to help incident responders identify and remediate infections. The disclosure is part of Talos’s ongoing tracking of commodity malware and malware-as-a-service ecosystems.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE