The DragonRank threat group is exploiting IIS servers in Asia with the BadIIS malware to manipulate SEO and redirect users to illegal gambling sites. Trend Micro researchers have linked this financially motivated campaign to previously documented activities by Group 9 and Group 11, which hijack IIS servers for proxy services and SEO fraud. The malware alters HTTP responses based on user-agent data, redirecting users searching for specific terms to malicious sites.

Additionally, the China-based Funnull CDN has been linked to "infrastructure laundering," renting IPs from AWS and Azure to host fraudulent websites for phishing, scams, and money laundering. Despite takedowns, new IPs are acquired frequently, likely through fraudulent or stolen accounts.

‍