DragonRank

DragonRank is a newly identified threat actor primarily targeting countries in Asia and some in Europe, using a variety of tools including PlugX and BadIIS to manipulate search engine rankings. This group exploits vulnerabilities in web application services to deploy web shells, enabling them to collect system information and launch malware. They employ advanced techniques such as DLL sideloading and use the Windows Structured Exception Handling (SEH) mechanism to avoid detection. DragonRank's attacks have compromised over 35 IIS servers across diverse sectors including healthcare, media, IT services, and more. Their operations suggest a background in targeted attacks or penetration testing, focusing on lateral movement and privilege escalation to infiltrate and maintain control over networks. While primarily engaging in black hat SEO practices, DragonRank distinguishes itself by manipulating compromised websites to serve scam operations, often using adult-themed keywords to attract traffic. Evidence indicates the group is operated by a Simplified Chinese-speaking actor, as they have been linked to a commercial website offering both white hat and black hat SEO services, further bolstered by their use of Simplified Chinese in communication and on their promoted platforms.