Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
🇨🇳 CN2 malware families

DragonRank

Also known asDragonRank

DragonRank is a China-linked threat actor/cluster associated with compromises of Microsoft IIS servers. Public reporting places it among multiple China-linked operations that have singled out IIS infrastructure over the past year, alongside CL-STA-0048 and GhostRedirector. Reporting cited here notes overlaps between DragonRank-linked activity and other China-linked IIS intrusions, including similar TTPs, file names, hashes, C2 infrastructure, and use of PlugX in some DragonRank reporting, but also explicitly states DragonRank is adjacent to—not identical with—other clusters such as UAT-8099/WEBJACK and OP-512. DragonRank has been associated with BadIIS-style activity used to turn compromised web servers into assets for search-engine manipulation and SEO fraud. The content also states that BadIIS malware has been used by multiple Chinese-speaking threat clusters including DragonRank and Operation Rewrite (CL-UNK-1037). In addition, Unit 42 observed overlaps between CL-STA-0048 PlugX activity and prior Talos reporting on DragonRank, indicating related tradecraft within a broader China-linked ecosystem targeting IIS servers. Known alias in the provided content: DragonRank.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics6 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0002
Execution
1 technique
T1574
Hijack Execution Flow
T1574.001
DLL
TA0005
Stealth
1 technique
T1574
Hijack Execution Flow
T1574.001
DLL
TA0011
Command and Control
2 techniques
T1090
Proxy
T1102
Web Service
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
BADIISCisco Talos has uncovered a BadIIS variant — identifiable by its embedded "demo.pdb" strings — that functions as commodity malware.3May 19, 2026
PlugXThe initial and primary backdoor the threat actor used in this attack was the PlugX backdoor. PlugX is a well-known remote access tool (RAT) with modular plugins and customizable settings that has been popular for over a decade, primarily among Chinese-speaking threat groups.2Jun 14, 2026
IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
security online infoNews
Jun 15, 2026
OP-512: New China-Linked Cluster Targets IIS Servers

Named China-linked operation previously observed targeting IIS servers.

Read more
the hacker newsNews
Jun 5, 2026
New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework

China-aligned threat group observed targeting IIS web servers.

Read more
talos intelligence blogNews
May 19, 2026
From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat

Cybercrime group using BadIIS variants to compromise web servers for search engine manipulation and SEO fraud.

Read more
alphahunt blogNews
Feb 10, 2026
[DEEP RESEARCH] BadIIS Isn’t Enough: The IIS Module + HTTP Fingerprints That Catch SEO-Fraud Cloaking

Distinct but related IIS SEO-manipulation cluster in the BadIIS ecosystem; differentiated in reporting by inclusion of PlugX and other campaign-specific artifacts and patterns; sometimes discussed as a service-provider-like operation around SEO manipulation.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.