Cybersecurity researchers at ESET have identified a previously unknown threat cluster, dubbed GhostRedirector, which has compromised at least 65 Windows IIS servers across Brazil, Thailand, Vietnam, and beyond. Active since at least August 2024, the attackers deploy a dual-threat combo: a passive C++ backdoor named Rungan and a native IIS malware module called Gamshen.
While Rungan enables remote command execution, Gamshen manipulates Google search results by injecting backlinks that artificially elevate the ranking of targeted third-party websites—many of which are believed to be gambling platforms. Gamshen selectively alters HTTP responses only for Googlebot crawlers, leaving normal user traffic untouched. Still, compromised hosts risk reputational damage due to association with black hat SEO tactics.
Attack overview. Source: welivesecurity.com.
The attackers use SQL injection vulnerabilities to breach networks, then leverage PowerShell scripts initiated through sqlserver.exe to deliver payloads. Once inside, Rungan listens for specially crafted HTTP requests and can create new users, register URLs, and run system commands. Gamshen, written in C/C++, joins a growing list of IIS-based malware families, such as IISerpent and BadIIS, used for covert access and fraud.
ESET also uncovered deployment of supporting tools such as GoToHTTP (for browser-accessible remote control), BadPotato/EfsPotato (for privilege escalation), and Zunput (for reconnaissance and web shell deployment). These components collectively ensure long-term persistence.
Attribution points toward a China-aligned group, based on indicators like Chinese-language code, certificates from a Chinese company, and usernames such as “huang.” Researchers also noted similarities to past campaigns run by DragonRank, another Chinese-speaking group previously observed exploiting IIS servers for SEO fraud.
GhostRedirector is a reminder of the expanding use of web server modules as covert footholds for fraud and espionage. Security teams should inspect IIS module integrity, monitor for unusual PowerShell executions, and harden defenses against SQL injection—especially in exposed environments. The quiet abuse of server infrastructure for SEO manipulation could just as easily support more destructive goals in the future.
