The Reveal Platform
Intel Name: Operation rewrite: chinese-speaking threat actors deploy badiis in a wide scale seo poisoning campaign
Date of Scan: September 23, 2025
Impact: High
Summary: In March 2025, we identified an SEO poisoning campaign, likely operated by a Chinese-speaking threat actor, dubbed “Operation Rewrite.” This activity cluster, tracked as CL-UNK-1037, overlaps with known campaigns like “Group 9” and “DragonRank.” Attackers used a malicious IIS module called BadIIS to hijack web traffic via compromised servers. The campaign targeted East and Southeast Asia, with code tailored to regional search engines. Beyond BadIIS, the toolkit included ASP.NET handlers, .NET IIS modules, and a multifunctional PHP script.
