ESET Research has identified a new threat group called GhostRedirector. In June 2025, this group broke into at least 65 Windows servers, mostly in Brazil, Thailand, Vietnam, and the United States.
Countries where GhostRedirector victims were detected (Source: ESET)
GhostRedirector used two custom tools that had not been documented before: a passive C++ backdoor called Rungan and a malicious IIS module called Gamshen. The group is very likely linked to China.
Rungan can run commands on an infected server. Gamshen is designed to run SEO fraud as a service, manipulating Google search results to boost the ranking of specific websites. Its main goal is to drive traffic to gambling websites.
“Even though Gamshen only modifies the response when the request comes from Googlebot — i.e., it does not serve malicious content or otherwise affect regular visitors of the websites — participation in the SEO fraud scheme can hurt the compromised host website’s reputation by associating it with shady SEO techniques, as well as with the boosted websites,” explains ESET researcher Fernando Tavella, who made the discovery.
GhostRedirector uses several other custom tools along with the publicly known exploits EfsPotato and BadPotato. These are used to create a privileged account on the server. That account can then be used to download and run other malicious programs with higher permissions. It can also serve as a backup if the Rungan backdoor or other tools are removed from the system.
The victims are spread across different countries, but many of the compromised servers in the United States appear to have been leased to companies based in Brazil, Thailand, and Vietnam. These are also the countries where most of the other hacked servers are located. ESET Research believes this shows GhostRedirector was mainly focused on targets in Latin America and Southeast Asia.
The group does not seem to favor one industry over another. Victims have been found in education, healthcare, insurance, transportation, technology, and retail.
ESET data suggests GhostRedirector likely gains access by exploiting a vulnerability, probably an SQL injection. Once inside, the attackers take control of a Windows server and download a variety of malicious tools. These include a privilege escalation tool, malware that plants multiple webshells, and the Rungan backdoor or Gamshen IIS module. The privilege escalation tool can also be used to regain access if the group is locked out. The backdoor allows them to communicate over the network, run files, view directory contents, and change services and Windows registry keys.
“GhostRedirector also demonstrates persistence and operational resilience by deploying multiple remote access tools on the compromised server, on top of creating rogue user accounts, all in an effort to maintain long-term access to the compromised infrastructure,” said Tavella.
