GhostRedirector Hackers Target Windows Servers Using Malicious IIS Module to Alter Search Results

A newly identified hacking group, dubbed “GhostRedirector” by cybersecurity researchers, has compromised at least 65 Windows servers globally, deploying custom malware designed to manipulate search engine results for financial gain. According to a report from ESET, the threat actor utilises a malicious module for Microsoft’s Internet Information Services (IIS) to conduct a sophisticated SEO fraud scheme, primarily benefiting gambling websites. The attacks, active since at least August 2024, employ two previously undocumented custom tools: a passive C++ backdoor named “Rungan” and a malicious native IIS module called “Gamshen.” While Rungan allows the attackers to execute commands on a compromised server, Gamshen serves as the core of the operation, providing “SEO fraud as-a-service.” Researchers explain that Gamshen intercepts web traffic on the infected server, activating only when it detects a request from Google’s web crawler, Googlebot.

For regular visitors, the website functions normally, but when Googlebot scans the site, Gamshen modifies the server’s response, injecting data from its own command-and-control server. This technique enables the attackers to create artificial backlinks and employ other manipulative SEO tactics, effectively hijacking the compromised website’s reputation to boost the page ranking of a target website. ESET believes the primary beneficiaries of this scheme are various gambling websites targeting Portuguese-speaking users. The campaign has been attributed with medium confidence to a previously unknown, China-aligned threat actor, based on factors such as the use of a code-signing certificate issued to a Chinese company and hardcoded Chinese language strings within the malware samples. The victimology indicates an opportunistic approach rather than a targeted campaign against a specific industry, with compromised servers spanning sectors like healthcare, retail, transportation, education, and technology, primarily located in Brazil, Thailand, and Vietnam. 

Categories: Cybersecurity Threats, SEO Fraud, Malware Techniques 

Tags: GhostRedirector, Hacking Group, Windows Servers, Custom Malware, SEO Fraud, Gambling Websites, IIS Module, Backdoor, Command-and-Control, SQL Injection