Cybersecurity firm ESET has uncovered a previously unknown threat actor, dubbed “GhostRedirector,” that has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam since late 2024.
GhostRedirector uses two previously unknown tools: a C++ backdoor named Rungan, and a malicious Internet Information Services (IIS) module named Gamshen.
Rungan allows attackers to execute commands on compromised servers, while Gamshen is designed to provide SEO fraud as-a-service. It only affects responses sent to Google’s search crawler (Googlebot) and not regular visitors, ESET said.
Gamshen is built as a native IIS module, taking advantage of the modular architecture of Microsoft’s IIS web server. In addition to Rungan and Gamshen, GhostRedirector uses other custom tools and public exploits such as EfsPotato and BadPotato to gain higher system privileges and maintain persistence on compromised servers.
ESET researchers believe, with medium confidence, that GhostRedirector is aligned with Chinese threat actors, although it has not been linked to any known groups. The operation appears to be opportunistic, targeting vulnerable servers across sectors including insurance, healthcare, retail, transportation, technology, and education.
Interestingly, the campaign bears similarities to an earlier SEO fraud operation by a group called DragonRank, but ESET has found no direct link between the two.