From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat

Cisco Talos has uncovered an actively maintained, modular BadIIS malware ecosystem—identifiable by distinctive "demo.pdb" strings and linked to the Chinese-speaking developer "lwxat"—that is being sold as a commodity MaaS platform to multiple cybercrime groups, enabling large-scale, persistent SEO fraud, content hijacking, and evasive web server compromise worldwide.