A commodity malware platform has been quietly compromising legitimate web servers for more than four years, redirecting unsuspecting visitors to gambling sites and illicit marketplaces while simultaneously poisoning search engine rankings — and the operator behind it has left the same alias embedded in the tooling throughout the entire campaign.
How BadIIS Works
Cisco Talos published analysis of BadIIS, a Malware-as-a-Service platform active since at least September 2021, with the most recent compiled sample dated January 6, 2026. The platform is operated by a threat actor using the alias “lwxat” and is marketed to Chinese-speaking cybercrime groups, who can purchase customized IIS hijacking payloads through a dedicated builder tool.
The platform supports two distinct attack modes. In the first, JavaScript-based redirection silently forwards legitimate website visitors to gambling sites, adult content platforms, and other illicit marketplaces — without those visitors having any indication that the site they reached has been compromised. In the second mode, BadIIS operates as a reverse proxy that serves illegal content directly to search engine crawlers, manipulating SEO rankings by making fraudulent sites appear to have the authority of established, legitimate domains.
The “lwxat” Builder and Its Persistent OPSEC Failure
The builder tool at the heart of the BadIIS MaaS offering generates custom configurations that are compiled directly into deployed binaries. The alias “lwxat” appears throughout the builder interface and in HTTP communications between infected servers and operator infrastructure — a consistent operational security failure that has allowed Cisco Talos researchers to track the campaign’s evolution across four years of activity. Despite repeated exposure, the alias has not been scrubbed from successive versions of the tooling, providing researchers with a durable thread connecting new samples to the original operator.
BadIIS Hides as FaxService and Conceals C2 Addresses with Base64 and XOR
BadIIS achieves persistence on compromised servers by masquerading as a fake Windows service — researchers documented one instance using the name “FaxService” to blend in with legitimate system processes. To conceal command-and-control server addresses within the binary, the malware combines Base64 encoding with single-byte XOR obfuscation. This layered approach to hiding C2 infrastructure complicates static analysis and slows incident response on affected servers.
Geographic Reach and the MaaS Business Model
Cisco Talos documented BadIIS impacts across the Asia-Pacific region, South Africa, Europe, and North America, spanning thousands of legitimate websites. The platform’s MaaS structure means that multiple independent criminal groups are running parallel BadIIS campaigns simultaneously — each with custom configurations generated by the same builder tool but targeting different victims and serving different downstream content.
That model creates a particularly difficult detection and remediation environment for defenders. Because each campaign is independently operated, takedown action against one group does not disrupt others running the same underlying platform. Web server administrators who discover a BadIIS infection are dealing with the output of one buyer’s configuration, while the same IIS hijacking capability remains available for purchase by others.
The scale of documented impact — thousands of websites across multiple continents over more than four years — reflects how effectively a well-built MaaS platform can sustain criminal operations even when individual campaigns are identified and disrupted. The Cisco Talos analysis provides server administrators with indicators of compromise tied to the January 2026 sample set, but the continued availability of the builder tool through apparent criminal marketplaces suggests new campaigns will emerge as long as the platform remains operational.
