DeepSec 2025 Talk: The Anatomy of DragonRank: Understanding and Defending Against SEO-Driven IIS Compromises – Joey Chen
DragonRank, a sophisticated threat actor, primarily targets countries in Asia and a select few in Europe, utilizing deploy BadIIS malware across compromised IIS servers for SEO rank manipulation. In 2023, we already uncovered DragonRank’s commercial website, business model, and instant message accounts. So, what tactics did DragonRank use in these attacks, and most importantly, how can we defend against them?
To answer these questions, we will first discuss how DragonRank compromised Windows IIS servers hosting corporate websites all around the world. Following that, we will discuss the advanced persistence methods employed by DragonRank including lateral movement, privilege escalation and deployment of BadIIS/PlugX in the system. Furthermore, we will explore the details of two unique real-life case studies used by the DragonRank actor from initial access to configuration IIS server to their profitable part.
We will then use all the presented information to identify common flaws in the actor’s offensive strategy. In turn, finding these cases will allow us to discuss how to build an efficient defense strategy against further DragonRank attacks. We hope attendees who work in the security field will leave equipped with practical insights to develop an effective defense strategy against this threat.
We asked Joey a few more questions about his talk.
Please tell us the top 5 facts about your talk.
BadIIS Malware Exposed: It details how DragonRank deploys BadIIS malware on compromised Windows IIS servers to manipulate SEO rankings, impacting corporate websites globally. Advanced Attack Techniques: Attendees will learn about advanced tactics used by DragonRank, including lateral movement, privilege escalation, and persistent malware deployment (BadIIS/PlugX) based on real-world incidents. Business Model Unveiled: The session uncovers the commercial aspects of DragonRank, including their operational framework and monetization strategies. Actionable Defense Strategies: The talk is designed to equip security professionals—especially those in resource-limited organizations—with practical, cost-effective strategies to defend against similar threats.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
The inspiration for this talk came from uncovering several attacks that resembled APT-style operations. While the TTPs mirrored those of advanced persistent threats, the underlying motive was clearly cybercriminal rather than espionage. Through in-depth analysis of these attack campaigns and a thorough investigation into DragonRank’s commercial website and business operations, it became clear that their approach combined sophisticated technical methods with a well-organized business structure. This intersection of technical and business intelligence prompted a deeper investigation, ultimately shaping the comprehensive analysis presented in this talk.
Why do you think this is an important topic?
This topic is crucial because it highlights the growing trend of cybercriminals operating with business-like efficiency and targeting organizations with limited resources—those least equipped to defend themselves. By understanding the methods and motives of actors like DragonRank, security professionals can better anticipate, detect, and mitigate attacks that might otherwise go unnoticed until significant damage is done.
Is there something you want everybody to know – some good advice for our readers, maybe?
One key takeaway: never underestimate the value of fundamental security hygiene. Even the most advanced attackers often rely on exploiting basic misconfigurations or outdated software. Regular patching, least privilege access, and thorough log monitoring can go a long way in reducing exposure to threats like DragonRank.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
Looking ahead, I predict that threat actors will increasingly adopt modular, “as-a-service” business models—offering specialized tools like BadIIS to other criminals for a fee. This will lower the barrier to entry into cybercrime and increase the volume and sophistication of attacks. On the defensive side, organizations will need to invest in automated, intelligence-driven security solutions that can adapt to rapidly evolving threats, especially as attackers become more organized and commercially motivated.
Joey Chen is working as a Cyber Threat Researcher for Cisco Talos Incorporated in Taiwan. His major areas of research include incident response, APT/cybercrime investigation, malware analysis and cryptography analysis. He not only has been a speaker at Botconf, HITB, Virus Bulletin, CODEBLUE, and DeepIntel etc. but also got 2018 Training Ambassador & Trainer prize in TrendMicro. Now he is focusing on the security issues of target attack, emerging threats and IOT systems. He also develops an automation intelligence platform to help his team get more sleep at night.