In March 2025, we identified an SEO poisoning campaign, likely operated by a Chinese-speaking threat actor, dubbed “Operation Rewrite.” This activity cluster, tracked as CL-UNK-1037, overlaps with known campaigns like “Group 9” and “DragonRank.” Attackers used a malicious IIS module called BadIIS to hijack web traffic via compromised servers....