Talos links ‘lwxat’ BadIIS builder to Chinese SEO‑fraud MaaS

Cisco Talos linked a builder for a BadIIS malware variant to an author using the alias “lwxat” and reported the toolset has been in development since at least Sept. 30, 2021. The builder and related utilities are used to inject search‑engine manipulation, browser redirects and content hijacking on compromised Microsoft IIS web servers.

Researchers identified the variant by embedded “demo.pdb” strings and a recurring PDB path pattern that includes Chinese folder names, date‑based versioning and a build root in “Administrator\Desktop”. Sample PDB paths span from 2021‑09‑30 to a compile timestamp of 2026‑01‑06, indicating ongoing updates and feature branches.

The recovered builder generates configuration files, JavaScript redirectors and PHP backlink scripts and embeds custom parameters into 32‑ and 64‑bit BadIIS binaries. Configurable functions include forced browser redirection to spam or illicit sites, a reverse‑proxy mode that serves illicit content to search engine crawlers, content replacement with adjustable infection rates and internal and external backlink injection to manipulate search rankings. The builder writes a “config.txt” file during builds and obfuscates C2 addresses with a single‑byte XOR using key 0x03.

PDB folder names show targeted features and evasion work. Examples include a folder labeled “兼容百度浏览器+劫持robots.txt” (compatible with Baidu browser + hijacking robots.txt), builds annotated “过诺顿” (bypass Norton), and a directory referencing a client named “x神” (xshen) for site‑wide hijacking based on browser language. A “dll-no503” folder indicates fixes to avoid triggering IIS 503 Service Unavailable errors.

Talos also recovered auxiliary tools linked to the same author. Those include service‑based installers that register malicious DLLs as IIS modules, a dropper that embeds IIS payloads inside an executable, and a two‑stage installer that copies BadIIS into active and hidden backup locations so the malware can be restored after server restarts. Service tools impersonate Windows services such as “Winlogin,” “FaxService” and “AudiosService” and use custom double Base64 encoding and obfuscated command lines.

Several components authenticate to command‑and‑control servers by checking for the response string “lwxat.” The builder attempts that check but will complete payload generation even if authentication fails; the authentication behavior and the custom user‑agent string “lwxatisme” appeared in live samples and helped link artifacts and samples together.

Talos observed campaigns that used the “demo.pdb” variant primarily across the Asia‑Pacific region, with smaller numbers of incidents in South Africa, Europe and North America. The company described the variant as modular and builder‑driven, differing from other BadIIS samples that used hardcoded C2s and static payloads.

Detection signatures and indicators of compromise were published. ClamAV signatures that detect the threat include Win.Malware.BadIIS-10059971-0, Win.Malware.BadIIS-10059977-0, Win.Malware.BadIIS-10059984-0 and Win.Malware.BadIIS-10059985-0. Snort rules with SIDs 1:66400, 1:66399 and 1:66398 (Snort2) and SIDs 1:66400 and 1:301491 (Snort3) also flag related activity. IOCs and detection rules are available in a public GitHub repository provided by the researchers.