A new cyberattack campaign dubbed "GhostRedirector" has shaken the security landscape by compromising at least 65 Windows servers worldwide. Employing custom backdoors and a malicious server module, the attackers used these servers to clandestinely manipulate search engine results and promote gambling websites, in a campaign linked to Chinese threat actors.

Key Takeaways

• 65 Windows servers compromised across multiple continents

• Custom-made backdoor (Rungan) and IIS module (Gamshen) deployed

• Attackers exploited SQL injection vulnerabilities for initial access

• Primary countries targeted: Brazil, Thailand, Vietnam; further infections in the U.S., Canada, and several others

• SEO fraud boosted gambling website rankings using compromised sites

• Attribution suggests Chinese origin based on technical and linguistic evidence

Attack Overview

The GhostRedirector campaign was first observed in late 2024 and extended into mid-2025, affecting organizations in sectors including healthcare, education, retail, technology, and insurance. The attackers used publicly known exploits and installed a variety of tools on compromised servers to ensure persistent access and operational resilience.

Victim servers were largely located in Brazil, Thailand, and Vietnam, with additional cases in Peru, the U.S., Canada, and parts of Europe and Asia. The attacks were opportunistic, exploiting vulnerabilities rather than targeting specific organizations.

Techniques and Tools Used

Initial Access and Persistence

• SQL Injection Exploitation: Attackers gained entry by exploiting SQL injection vulnerabilities in public-facing applications.

• Privileged User Creation: Tools like BadPotato and EfsPotato were used for privilege escalation, resulting in new administrator-level accounts as backup entry points.

Custom Malware

• Rungan (Backdoor): A C++-based passive backdoor listened for specific HTTP requests, enabling attackers to execute commands, create users, and control the server remotely.

• Gamshen (IIS Module): This malicious extension only activated during visits by Google’s search bots. It secretly modified outgoing content to inject backlinks and SEO content promoting third-party gambling sites, boosting their search rankings while leaving regular visitors unaffected.

Additional Tools

• Webshells: Custom droppers were used to insert ASP, PHP, and JavaScript webshells, offering alternative remote control.

• Remote Access Applications: Tools like GoToHTTP provided browser-accessible remote management.

The SEO Fraud Scheme

At the heart of GhostRedirector’s activity was a sophisticated “SEO fraud as-a-service” operation. By exploiting the authority of legitimate compromised websites, the attackers manipulated Google search results to increase the visibility of gambling domains. This involved automatically injecting backlinks and keywords meant for search engine crawlers, not for human visitors.

Gamshen’s selective response ensured that only Googlebot requests were tampered with, making detection more difficult and preventing any negative user-facing impact that might give away the server’s compromised state.

Attribution and Impact

Technical analysis linked the campaign to Chinese threat actors through hardcoded Chinese-language strings, the use of certificates from Chinese companies, and specific password choices. While not definitively assigned to a previously known group, the campaign’s techniques bore similarities to earlier Chinese SEO fraud operations.

The impact of these attacks extends beyond the direct victim servers, damaging the online reputation of compromised websites and polluting search engine results—potentially misleading users and driving traffic to questionable or harmful sites.

Mitigation

Experts urge organizations to patch vulnerable applications, monitor for unauthorized PowerShell executions, and routinely audit user accounts and running IIS modules. Early detection can prevent servers from being pressed into service as unwitting allies in cybercriminal schemes. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Further Reading and References

• GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module, The Hacker News.

• GhostRedirector: Chinese hackers plague Windows servers, Techzine Global.

• GhostRedirector Hackers Compromise Windows Servers With Malicious IIS Module To Manipulate Search Results, CybersecurityNews.

• GhostRedirector Hackers Target Windows Servers Using Malicious IIS Module, GBHackers News.

• Backdoors with a side of Potatoes, WeLiveSecurity.