A newly identified hacking group has compromised at least 65 Windows servers worldwide, primarily in Brazil, Thailand and Vietnam.
According to ESET researchers, the group, named GhostRedirector, deployed two previously unknown tools: a C++ backdoor called Rungan and a malicious Internet Information Services (IIS) module known as Gamshen.
Rungan enables attackers to execute commands on compromised servers. Gamshen, meanwhile, manipulates search engine results to artificially inflate the rankings of certain websites, particularly gambling platforms.
This tactic, described as SEO fraud-as-a-service, leverages compromised servers to improve page rankings without affecting regular visitors.
“Gamshen […] does not serve malicious content or otherwise affect regular visitors of the websites – participation in the SEO fraud scheme can hurt the compromised host website’s reputation by associating it with shady SEO techniques and the boosted websites,” ESET explained.
Additionally, the researchers noted that GhostRedirector also relied on known exploits such as BadPotato and EfsPotato to gain administrator privileges. These escalations allowed the creation of new accounts, ensuring attackers could maintain access even if other malware was removed.
Read more on IIS malware and SEO fraud schemes: BadIIS Malware Exploits IIS Servers for SEO Fraud
The attacks were not limited to one industry. ESET observed victims across a broad set of sectors, including healthcare, insurance, retail, transportation, technology and education.
Most affected servers were located in Brazil, Peru, Thailand, Vietnam and the US, though smaller clusters were seen in Canada, Finland, India, the Netherlands, the Philippines and Singapore.
Investigators concluded with medium confidence that GhostRedirector is aligned with China. Several indicators supported this, including hardcoded Chinese strings, a code-signing certificate tied to a Chinese company and a password containing the Mandarin word “huang” – Chinese for yellow.
This activity resembles that of another China-aligned group, DragonRank, previously linked to SEO fraud. While there is some overlap in geography and targeted sectors, ESET emphasized that there is no evidence that the two groups are connected.
GhostRedirector has been active since at least August 2024, according to ESET. The campaign highlights how native IIS modules can be abused to silently manipulate search rankings.
By embedding malicious code into Microsoft’s web server software, attackers not only achieve persistence but also use legitimate platforms to funnel traffic toward shady websites.
ESET researchers warned that such campaigns can erode trust in compromised organizations, even when end-users are not directly harmed.
To defend against similar threats, security experts advise organizations to monitor IIS servers for unusual modules, apply timely security patches, restrict the use of high-privilege accounts and review PowerShell activity for suspicious downloads.
Regular audits of server configurations and user accounts can also help detect malicious persistence before it causes long-term damage.
