A new threat group employs custom tools to manipulate search results for improved SEO.

ESET Research has identified a new threat group known as GhostRedirector, which infiltrated at least 65 Windows servers in June 2025, primarily targeting Brazil, Thailand, Vietnam, and the United States. This group is believed to have links to China and employs two previously undocumented custom tools: a passive C++ backdoor named Rungan and a malicious IIS module called Gamshen. Rungan enables the execution of commands on infected servers, while Gamshen manipulates Google search results to enhance the visibility of specific websites, particularly those related to gambling. Although Gamshen only alters responses to Googlebot requests, its involvement in SEO fraud can tarnish the reputation of compromised host websites by associating them with dubious SEO practices, as noted by ESET researcher Fernando Tavella.

GhostRedirector utilises various custom tools alongside known exploits such as EfsPotato and BadPotato to establish privileged accounts on compromised servers. These accounts facilitate the download and execution of additional malicious software with elevated permissions, serving as a fallback if the Rungan backdoor or other tools are removed. The group’s victims span multiple sectors, including education, healthcare, insurance, transportation, technology, and retail, with a notable focus on targets in Latin America and Southeast Asia. ESET data suggests that GhostRedirector likely gains access through SQL injection vulnerabilities, allowing attackers to control Windows servers and deploy a range of malicious tools. The group demonstrates persistence by implementing multiple remote access tools and creating rogue user accounts to ensure long-term access to compromised infrastructures. 

Categories: Cyber Threat Groups, Malware Tools, Targeted Industries 

Tags: GhostRedirector, Rungan, Gamshen, SEO Fraud, Windows Servers, Privilege Escalation, Malicious Tools, SQL Injection, Remote Access, Compromised Infrastructure