GhostRedirector is a newly identified threat actor revealed by ESET researchers, focusing on compromising Windows servers using a combination of custom malware and publicly known exploits. The group’s arsenal includes Rungan, a passive backdoor written in C++, which likely provides stealthy command and control capabilities, and Gamshen, a malicious IIS module designed to manipulate search engine results to promote gambling websites through SEO fraud. The attackers exploit privilege escalation vulnerabilities to gain higher system privileges and create rogue user accounts to maintain persistent access. The campaign has compromised at least 65 servers primarily in Brazil, Thailand, and Vietnam, targeting diverse sectors. The use of a malicious IIS module indicates a focus on web servers running Microsoft’s Internet Information Services, enabling direct manipulation of web traffic and content to influence search engine rankings. The threat actor is believed to be China-aligned and has been active since at least August 2024. Despite no known public exploits currently in the wild specifically for this campaign, the use of public exploits for privilege escalation suggests the attackers leverage existing vulnerabilities to gain initial or escalated access. The campaign’s goal appears to be financial gain through SEO fraud by redirecting or poisoning Google search results to favor gambling websites, which can generate illicit revenue. The sophistication of the tools and persistence mechanisms indicates a well-resourced and patient adversary capable of long-term operations.

For European organizations, the GhostRedirector threat could lead to unauthorized access and control over Windows servers, particularly those running IIS. This can result in compromised web infrastructure, manipulation of web content, and reputational damage if their websites are used to promote fraudulent or malicious content. The presence of backdoors and rogue accounts increases the risk of further lateral movement within networks, data exfiltration, or use of compromised servers as part of broader malicious campaigns. SEO fraud can also distort legitimate business operations and damage trust with customers and partners. Although the current known infections are outside Europe, the techniques and tools used could be adapted to target European servers, especially in sectors with high IIS usage or those involved in online gambling, marketing, or SEO services. The medium severity rating reflects the threat’s potential to disrupt integrity and availability of web services, as well as the confidentiality risks posed by persistent backdoors and unauthorized access.

European organizations should implement targeted detection and response measures focusing on IIS server integrity and user account management. Specifically, they should: 1) Audit IIS modules regularly to detect unauthorized or suspicious modules like Gamshen; 2) Monitor for creation of rogue user accounts and unusual privilege escalations; 3) Apply all relevant security patches promptly, especially those addressing privilege escalation vulnerabilities; 4) Employ endpoint detection and response (EDR) tools capable of identifying stealthy backdoors such as Rungan; 5) Use web application firewalls (WAF) to monitor and block suspicious web traffic and SEO manipulation attempts; 6) Conduct threat hunting exercises focusing on indicators of compromise related to GhostRedirector’s tactics; 7) Harden server configurations by disabling unnecessary IIS features and enforcing least privilege principles; 8) Implement network segmentation to limit lateral movement from compromised servers; and 9) Educate IT staff on emerging threats involving SEO fraud and malicious IIS modules to improve detection capabilities.