In June 2025, ESET researchers unearthed a previously unknown threat actor they call GhostRedirector, which had compromised at least 65 Windows servers around the globe. The attackers deployed two custom tools – a passive C++ backdoor named Rungan and a malicious Internet Information Services (IIS) module called Gamshen – to manipulate search engine results and maintain persistent remote control. The discovery, made public on September 4, 2025, reveals a novel blend of stealthy search-engine fraud and traditional backdoor persistence that has quietly poisoned servers in Brazil, Thailand, Vietnam, the United States, and several other nations.

ESET’s investigation shows that the campaign was active between December 2024 and April 2025, with a follow‑up internet‑wide scan in June 2025 uncovering additional victims. The infected servers span multiple sectors – education, healthcare, insurance, transportation, technology, and retail – indicating that GhostRedirector opportunistically targets internet‑facing IIS hosts rather than any single industry. The group’s tooling and operational patterns strongly suggest Chinese alignment, though ESET frames the attribution as an analytic judgment rather than an undisputed conclusion.

Stealth in the Server: How Gamshen Twists IIS for SEO Fraud

Gamshen is a native IIS module, a DLL that loads directly into the worker process (w3wp.exe) and inspects every HTTP request. Its sole purpose is to serve different content to search‑engine crawlers – specifically Googlebot – than to ordinary human visitors. When a crawler requests a page, Gamshen injects redirects or injects backlinks and doorway content that promote attacker‑configured gambling websites. Normal users, however, see the site exactly as intended.

This is cloaking in its most brazen form, a technique that search engines penalize heavily if discovered. Yet the approach is devilishly hard for site owners to spot. File‑system scans and manual audits return no anomalies because the modifications are generated on the fly. Only a careful analysis of response differences between standard browsers and crawler user‑agents – or direct inspection of the IIS module configuration – would raise a red flag. ESET researcher Fernando Tavella explains the reputational cost: “Even though Gamshen only modifies the response when the request comes from Googlebot … participation in the SEO fraud scheme can hurt the compromised host website’s reputation by associating it with shady SEO techniques.”

The module’s native code nature also grants it fine‑grained access to IIS internals. It can be registered persistently via APPCMD.EXE or manipulated applicationHost.config, and once loaded, it becomes an invisible proxy that the attacker can update remotely. Defenders accustomed to scanning for file‑based webshells or .NET implants will likely overlook a legitimate‑looking DLL signed with a stolen or spoofed certificate.

Rungan: The Silent C++ Backdoor

Complementing Gamshen is Rungan, a passive C++ backdoor that grants attackers command execution, directory listing, and the ability to manipulate Windows Services and registry keys. Unlike the SEO module, Rungan doesn’t need to run inside the web server – it can operate as a standalone binary or co‑locate inside a legitimate process. ESET classifies it as “passive” because it awaits instructions rather than phoning home aggressively, making network‑based detection harder.

Compiled in native code, Rungan avoids the overhead and detection surfaces of managed .NET implants. It can interact directly with the Windows API to create new services, alter ServiceDLL entries, or modify critical registry paths – all of which serve as fallback persistence if the primary web‑based tools are removed. Together, Rungan and Gamshen form a dual‑threat architecture: one module silently manipulates search‑engine traffic, while the backdoor ensures the attackers can return even after partial cleanup.

Attack Chain: From SQL Injection to Privilege Escalation

ESET’s telemetry paints a clear picture of the intrusion lifecycle. The attackers likely gain initial access by exploiting a web‑facing vulnerability, with SQL injection being the strongest candidate. Once they have a foothold, they download and execute a series of tools:

  • Web shells – multiple ASP/ASPX webshells are dropped into writable directories, providing immediate code execution if the primary backdoor fails.
  • Privilege‑escalation tools – the notorious Potato family (EfsPotato and BadPotato are explicitly named) is weaponized to escalate from IIS worker privileges to SYSTEM. These binaries abuse Windows token‑handling semantics and named‑pipe impersonation to gain the highest privileges.
  • Persistence mechanisms – the attackers create rogue local administrator accounts, schedule tasks that run elevated binaries, and register the malicious IIS module. They also deploy Rungan and multiple other remote‑access tools to ensure overlapping access paths.

Using the elevated privileges, Gamshen is registered as a native IIS module – a step that requires administrative access or the ability to modify IIS configuration. With SYSTEM‑level control, the attackers can also disable logging, tamper with Windows Defender exclusions, and hide their artifacts more effectively.

ESET notes that the Potato exploits serve a dual purpose: they enable the initial installation of Gamshen and Rungan, and they also act as a fallback if the defenders manage to remove the other malware. By pre‑creating a privileged user account and installing a known‑good escalation path, GhostRedirector hedges against partial remediation.

Who is Being Targeted? A Global Web of Opportunism

The geographic distribution of victims offers a telling clue. While ESET found compromised servers in the United States, Canada, Finland, India, the Netherlands, the Philippines, and Singapore, the densest clusters are in Brazil, Thailand, and Vietnam. Many of the U.S.‑based servers were actually leased to companies headquartered in those three countries. This suggests that the attackers are primarily interested in Latin American and Southeast Asian targets, using U.S. hosting capacity as a convenient springboard.

Sectoral diversity further confirms an opportunistic targeting strategy. Educational institutions, hospitals, insurance firms, transportation companies, retailers, and tech providers all appear on the victim list. Any organization with an exposed IIS application – especially one vulnerable to SQL injection – is fair game. This broad surface underscores the danger of overlooking web‑application security on Windows servers.

Attribution: “China‑Aligned” with Analytic Caution

ESET assesses that GhostRedirector is very likely a China‑aligned threat actor. This judgment stems from observed tooling overlaps, infrastructure patterns, and telemetry that are consistent with other groups known to operate in the China‑aligned ecosystem. However, ESET explicitly frames this as an analytic hypothesis rather than a closed case.

Multiple China‑aligned groups have historically favored server‑side implants, web shells, and Potato‑style privilege escalation when targeting infrastructure in Southeast Asia and Latin America. Yet tools can be borrowed, code can be falsified, and infrastructure can be shared. Attribution in cybersecurity is probabilistic, and any serious analysis must acknowledge that technical indicators can only support, not definitively prove, a source.

Readers should treat the attribution as an informed ESET assessment that carries weight but remains subject to revision. The more actionable takeaway is the TTPs themselves – defenders can hunt for these behaviors regardless of which specific group is behind them.

The Real‑World Impact: Beyond the Breach

An SEO fraud campaign might sound less damaging than a ransomware outbreak or data theft, but the consequences for a victim can be severe:

  • Reputation damage: Search engines may penalize the compromised domain, de‑listing it or burying it in results. Recovering domain authority can take months of effort and directly hit brand trust and revenue.
  • Legal and compliance exposure: Sectors like healthcare, insurance, and education often handle regulated data. A breach that introduces backdoors onto a server used for processing sensitive information may trigger mandatory reporting obligations.
  • Resilience pitfall: With multiple backdoors, rogue accounts, and privilege‑escalation tools, GhostRedirector makes it easy for attackers to re‑enter even after an organization believes it has cleaned up. This leads to frustration and extended recovery timelines.
  • Abuse as infrastructure: Compromised servers can be used as relay nodes for further attacks, as link farms for black‑hat SEO, or as staging points for scanning and exploitation of additional targets – drawing the victim into a broader criminal ecosystem.

Detection and Hunting: Signals That Matter

Given the campaign’s stealth, signature‑based detection will likely lag. Defenders should instead focus on behavioral indicators and configuration anomalies. The following table outlines high‑value hunting signals:

Artifact What to Look For Tools/Methods
Unauthorized IIS Modules Unknown DLLs loaded by w3wp.exe, especially in non‑standard folders. Check for suspicious entries via APPCMD or IIS Manager. Sysmon (Event ID 7), PowerShell, process dump analysis
User‑Agent‑based Content Differences Compare HTTP responses from generic browser user‑agents vs. Googlebot/Bingbot. Look for injected links, redirects, or HTML fragments only served to crawlers. Custom scripting (e.g., curl with varied User‑Agent), WAF logs
Potato‑Style Escalation Traces Named‑pipe creation patterns (e.g., pipes with certain GUIDs), token impersonation events, and suspicious privileges assigned to IIS worker accounts. Sysmon (Events 17, 18), Windows Security events (4672, 4673)
Rogue Accounts and Scheduled Tasks Newly created local/administrator accounts and tasks that run binaries from temporary directories or with SYSTEM privileges. net user, schtasks queries, event logs (4720, 4698)
Web Shell Artifacts Unusual .ASPX, .ASP, .PHP files in web directories; memory dumps of w3wp.exe containing characteristic webshell strings (e.g., “eval”, “cmd.exe”). AV scans, YARA rules, Volatility
Unexpected Service Changes New services with binary paths pointing to temporary folders, or ServiceDLL registry modifications under HKLM\SYSTEM\CurrentControlSet\Services. Autoruns, registry auditing

Enabling Sysmon with detailed named‑pipe and command‑line logging is a critical first step. Sigma rules already exist for many of these behaviors, and vendors have published detection guidance aligned with this campaign.

Response Playbook: What to Do If You Suspect GhostRedirector

Organizations that identify signs of compromise should act swiftly but methodically to eradicate the threat and minimize damage.

Immediate Containment

  • Isolate affected IIS hosts from the network, preserving memory and disk images for forensics.
  • Block outbound connections to known malicious infrastructure (ESET provides IOCs).

Short‑Term Remediation

  • Remove all unauthorized IIS modules and scheduled tasks; disable suspicious accounts and reset all credentials on the affected server.
  • Replace exposed certificates, API keys, and service account passwords.

Hardening and Prevention

  • Patch all web applications and the underlying Windows Server operating system. Focus on SQL injection and other injection flaws identified by a code review.
  • Restrict the permission to install IIS modules to a minimal set of administrators protected by MFA and just‑in‑time access.
  • Deploy a Web Application Firewall (WAF) tuned to detect and block SQLi payloads and anomalous crawler responses.

Detection and Monitoring

  • Enforce Sysmon logging with a configuration that captures named‑pipe activity, driver loads, and process creations.
  • Implement alerts for content differences served to search‑engine user‑agents.
  • Continuously monitor for newly created services, accounts, and registry changes.

Long‑Term Resilience

  • Maintain immutable off‑line backups that cannot be tampered with by an attacker.
  • Run red‑team exercises simulating IIS module injection and Potato‑style escalations.
  • Ensure that incident response playbooks explicitly cover IIS‑specific threats.

Broader Context: IIS Modules and the Potato Family Are Persistent Threats

GhostRedirector does not operate in a vacuum. The use of native IIS modules as a covert channel dates back years. ESET itself documented IISerpent and IISpy, which abused the same extensibility mechanism to intercept and alter HTTP traffic. Any IIS administrator should treat unapproved modules as an immediate security incident.

The Potato suite of privilege‑escalation tools remains a go‑to for attackers targeting Windows servers. The exploits take advantage of how Windows handles COM object activation and token assignment in certain service accounts, a design quirk that Microsoft has attempted to harden but which remains exploitable in many on‑premises configurations. Detection relies on behavioral telemetry, not static signatures.

Additionally, the geographic focus on Southeast Asia and Latin America mirrors a broader pattern among multiple China‑aligned and other nation‑state groups. Exposed or poorly secured hosting configurations in these regions provide a low‑cost staging ground for campaigns that blend financial gain (SEO fraud) with espionage capabilities (backdoors). GhostRedirector’s dual mission exemplifies this convergence of profit and intelligence‑gathering.

Limitations and Caveats

No threat report is complete without acknowledging its blind spots. ESET’s attribution remains analytic; the “China‑aligned” label is a well‑supported hypothesis, not a forensic certainty. The total number of compromised servers may be higher than 65, as many unmonitored systems would never appear in ESET’s telemetry or scans. Custom tools like Rungan and Gamshen will evolve, so defenders should expect variants and modifications. Signature‑based defenses will struggle; behavioral and configuration‑based hunting is essential.

Conclusion: A Blueprint for Stealthy Server Compromise

GhostRedirector represents a pragmatic, resilient threat that marries covert search‑engine manipulation with traditional post‑exploit persistence. The dual‑tool approach – an IIS module that silently burns a domain’s reputation while a C++ backdoor ensures continued access – should serve as a wake‑up call for organizations that treat IIS security as an afterthought. The campaign’s reliance on SQL injection, privilege‑escalation classics, and multi‑tool resilience underscores the value of foundational hardening: patch applications, restrict IIS module registration, log crawler‑specific behaviors, and invest in behavioral detection.

ESET’s disclosure provides the indicators and mitigation steps needed to hunt for and evict GhostRedirector. For Windows administrators and security teams, the message is clear: if you host public‑facing IIS servers, assume they are targets, and treat every unexpected module inside w3wp.exe as a ticking time bomb. The stealthy SEO fraud component might sound innocuous, but it leaves a trail of reputational ruin and regulatory liability. Combining that with a persistent backdoor turns a single vulnerable server into a long‑term asset for attackers – one that demands immediate and thorough remediation.