A group of cybercriminals thought to be operating from China uses advanced methods to run an SEO manipulation campaign and push gambling website rankings higher in Google. Security experts at ESET identified this operation as “GhostRedirector,” where attackers breach Windows Web servers, then install malware that helps raise website privileges, keeps access open, and tricks Google’s indexing system.

The campaign started at least in August 2024, and has affected many sites, mainly those in Brazil, Vietnam, and Thailand, with some of the 65 compromised sites found in the United States but linked to companies from the main targeted countries. ESET broke down GhostRedirector’s attack steps, beginning with hackers finding their way into Windows Web servers, probably through an unpatched SQL injection flaw. After this first step, PowerShell scripts download malicious software, including two new tools ESET called Rungan and Gamshen, while old exploits tracked as EfsPotato and BadPotato handle privilege escalation.

Rungan and Gamshen: Sophisticated Backdoors Targeting Web Servers

The Rungan tool acts as a quiet backdoor written in C++ that allows attackers to control infected Web servers and execute commands remotely. On the other hand, ESET discovered that Gamshen is a native Internet Information Services (IIS) module with harmful actions. IIS, which is Microsoft’s Web server offering, lets developers expand or add features by using its modular design, and components like Gamshen can run with full server rights, making them difficult to detect or clear out.

Cybercriminals have used these modules after taking control to force Windows Web servers into executing odd behaviour, and ESET’s 2021 report showed that such malware belongs to a group targeting SEO fraud, cyberespionage, or general cybercrime. According to ESET, the real aim for adding something like Gamshen to servers is to “intercept HTTP requests” sent to the hacked server, changing how the server reacts to those, especially for certain requests.

Microsoft already confirmed that dangerous IIS modules represent a big risk and highlighted how they are used to install hidden backdoors on major servers. A new study from Splunk in July reports that attackers linked SharePoint security holes with fake IIS modules to keep deep access on exposed systems. IIS backdoors are not easy for companies to spot, according to Microsoft, because they are put in the same software folders as genuine server modules, and the harmful code inside is structured nearly the same as legal ones, only small checks or extra context can show if something is wrong.

Understanding SEO Poisoning and the Gamshen Module

When it comes to SEO poisoning, the Gamshen module is designed to show secret website links to promote GhostRedirector’s chosen sites. If a website’s Googlebot crawler visits an infected site, Gamshen recognises the bot and puts backlinks to targeted websites straight into the content for indexing. By doing this, attackers create many links from trustworthy but invaded websites, tricking search ranking systems and making gambling sites go higher in results. GhostRedirector is not the first group from China using this SEO poisoning trick, as Cisco Talos said last year that actors like DragonFly performed the same actions by installing malware, even using BadIIS, for similar goals.

Since these types of modules can only be set up after hackers already get access to the Web server, ESET tells organisations to use accounts for IIS that are just for admins, always have strong passwords, and make use of multifactor authentication. There is also advice for limiting native module installs to trusted code only, and always checking that modules are signed by providers they recognise and trust.