UAT-8099 Targets Vulnerable IIS Servers: Why This Attack Matters to Your Business

A newly observed threat actor tracked as UAT-8099 is actively exploiting vulnerable Internet Information Services (IIS) servers, deploying web shells, abusing PowerShell, and leveraging region-customized “BadIIS” malware to maintain stealthy, long-term access.

For organizations running on-prem or hybrid Windows infrastructure, this campaign is a clear warning: unpatched servers and weak monitoring remain prime targets—and attackers are getting more sophisticated in how they stay hidden.

At Equal Technology Solutions, this is exactly the type of threat we help businesses detect, contain, and prevent before it becomes a costly breach.

What Is UAT-8099 Doing?

UAT-8099 focuses on exposed or poorly secured IIS servers, commonly found in:

  • Small to mid-size businesses

  • Legacy line-of-business applications

  • Hybrid cloud environments

Their attack chain typically includes:

 1. Exploiting IIS Vulnerabilities

Attackers gain initial access by targeting outdated or misconfigured IIS components running on Microsoft Windows Server.

 2. Deploying Web Shells

Once inside, they upload lightweight web shells that allow:

  • Remote command execution

  • File uploads/downloads

  • Persistent access even after reboots

 3. PowerShell-Based Living-Off-the-Land (LOLbins)

PowerShell is abused to:

  • Avoid traditional antivirus detection

  • Download additional payloads

  • Execute commands directly in memory

 4. Region-Customized BadIIS Malware

BadIIS modifies IIS modules to:

  • Redirect traffic

  • Proxy malicious content

  • Customize behavior based on geographic location

This makes detection significantly harder—and allows attackers to selectively target victims.

Why This Is Dangerous for Businesses

Unlike noisy ransomware attacks, campaigns like UAT-8099 are quiet, persistent, and data-focused.

If compromised, your business could face:

  • Credential theft

  • Data exfiltration

  • Website defacement or malicious redirects

  • Compliance violations (HIPAA, GLBA, PCI, etc.)

  • Being used as a launch point for attacks on others

Many victims don’t realize they’ve been breached for months.

How Equal Technology Solutions Protects You

This is where proactive IT security makes the difference.

Our layered defense approach includes:

✔ IIS & Windows Server Hardening

  • Secure baseline configurations

  • Removal of unnecessary modules

  • Least-privilege enforcement

✔ Patch & Vulnerability Management

  • Continuous monitoring for missing patches

  • Priority remediation of internet-facing systems

✔ Advanced Threat Detection

  • PowerShell activity monitoring

  • Web shell detection

  • Anomalous IIS module behavior analysis

✔ Incident Response & Forensics

  • Rapid containment of compromised servers

  • Malware removal (including BadIIS-style threats)

  • Root cause analysis to prevent re-infection

✔ Ongoing Managed Security Services

  • 24/7 monitoring

  • Log aggregation & alerting

  • Security awareness guidance for internal teams

Are You Running IIS? Then This Applies to You.

If your business hosts:

  • Internal or public-facing web apps

  • Legacy IIS-based systems

  • Hybrid or on-prem Windows servers

…you should assume attackers are already scanning for weaknesses.

Get Ahead of the Threat

UAT-8099 is just one example of how modern attackers operate—but it won’t be the last.

👉Equal Technology Solutions offers a free initial security assessment to identify:

  • Exposed services

  • Patch gaps

  • High-risk configurations

Before attackers find them first.

Contact us today to protect your infrastructure, your data, and your reputation.