A newly uncovered threat campaign is silently injecting malicious code into legitimate Windows servers to manipulate Google rankings while maintaining a persistent backdoor for remote control. Dubbed GhostRedirector by ESET researchers, the operation has compromised at least 65 Internet Information Services (IIS) web servers worldwide, using a pair of custom tools—Rungan and Gamshen—that work in tandem to execute commands and perform search engine optimization (SEO) fraud.
This is not a typical ransomware or data-theft campaign. Instead, GhostRedirector quietly hijacks the search reputation of victim websites to promote gambling and affiliate domains, all while leaving normal pages untouched for human visitors. The discovery, detailed in a new ESET white paper and highlighted by the IT Business Net article on September 4, 2025, underscores a growing trend of financially motivated cyber operations that blend espionage tradecraft with unconventional monetization.
The group behind GhostRedirector is assessed as very likely China-aligned, based on code-signing certificates, embedded language artifacts, and operational patterns. Victims span several continents and industries, with the heaviest concentration in Brazil, Thailand, and Vietnam. Additional compromised hosts were found in the United States, Peru, Canada, Finland, India, the Netherlands, the Philippines, and Singapore. ESET notes that many of the US-based servers were actually leased by companies headquartered in Latin America or Southeast Asia, suggesting a deliberate focus on those regions.
How GhostRedirector Works: Rungan and Gamshen
At the heart of the campaign are two previously unseen native components. Rungan is a C++ passive backdoor designed to receive commands over HTTP. It can execute arbitrary shell commands, create local user accounts, list directories, and manipulate Windows services and registry keys—all while blending into normal web traffic. Gamshen, on the other hand, is a native IIS module that gets loaded directly into the web server process (w3wp.exe). Its sole purpose is to intercept HTTP responses and modify them before they reach the requester—but only when the requester appears to be Googlebot or another search engine crawler.
This selective cloaking is the core of the SEO fraud. When a crawler visits a compromised site, Gamshen injects hidden links, doorway pages, or redirects that artificially boost the pagerank of attacker-chosen domains. Regular visitors see the genuine, unaltered site, so the abuse can continue for months without detection. ESET observed that the fraudulent boost primarily benefited gambling websites, indicating the campaign likely operates as an SEO-for-hire service.
The Infection Chain: From SQL Injection to Full Compromise
GhostRedirector’s initial access vector is believed to be SQL injection—a well-known but still pervasive web application vulnerability. Once inside, the attackers leverage PowerShell or other staged binaries downloaded from domains like 868id[.]com to fetch a toolkit that includes:
- Privilege escalation exploits from the “Potato” family (EfsPotato, BadPotato)
- Multiple webshells (ASP, PHP, JavaScript)
- Downloaders and payload droppers
- The core Rungan backdoor and Gamshen IIS module
After escalating privileges, the operators create rogue local user accounts with weak passwords (one account was found using the password “huang”) and sign some tools with a code-signing certificate traced to Shenzhen Diyuan Technology Co., Ltd. This layered persistence makes complete eradication difficult. Even if the backdoor is removed, the rogue accounts or webshells can allow re-entry.
Rungan can be deployed as a standalone DLL or integrated into existing services. It listens for HTTP requests matching patterns like /v1.0/8888/sys.html and uses piped processes to execute commands covertly. As a passive implant, it waits for specially crafted requests rather than beaconing out, reducing network noise and evading many network detection systems.
Gamshen, meanwhile, hooks into the IIS request pipeline to inspect User-Agent headers. If the header matches known crawler strings, it tampers with the response body—injecting spammy backlinks or redirect codes—before the content leaves the server. Because the modifications happen in memory at the application layer, file integrity monitoring and disk-based antivirus scans typically miss it. Administrators may only notice something is wrong when their search engine rankings plummet or manual actions appear in Google Search Console.
Attribution: Why ESET Points to China
ESET explicitly states that GhostRedirector is “very likely a China-aligned threat actor.” The evidence includes:
- Chinese-language strings embedded in code and configuration artifacts.
- A code-signing certificate belonging to a Shenzhen-based company.
- Tactics and tooling consistent with previous Chinese-speaking clusters that have abused native IIS modules for SEO fraud (such as the infamous “RedUrl” campaigns).
While these indicators provide strong regional confidence, they do not conclusively prove state sponsorship. The use of a commercial code-signing certificate, for instance, could be the result of a compromised or shell company. However, the overall operational profile—long-term persistence, multi-stage tooling, and a focus on financial gain through illicit SEO—aligns more with profit-driven cybercriminal groups that may operate with some tolerance from local authorities.
Real-World Impact: Reputation Theft and Collateral Damage
For victims, the consequences extend beyond the immediate breach. Websites that participate in search manipulation schemes, even unwittingly, risk severe penalties from Google, including complete removal from search indexes. The harm to brand trust and organic traffic can take months or years to recover. In industries like healthcare, insurance, and education—where several victims were found—search visibility is directly tied to customer acquisition and credibility.
The stealthy nature of Gamshen makes the cleanup particularly challenging. Because the malicious module loads into a legitimate Microsoft process (w3wp.exe), endpoint detection must rely on behavioral signals: unusual module loads, unexpected code signing certificates, or crawler-specific anomalies in web logs. ESET’s internet-wide scan in June 2025 identified 65 compromised hosts, but the true scope may be larger, as the scan could have missed servers behind content delivery networks or firewalls.
Detection and Response: A Checklist for IIS Administrators
Security teams managing Windows‑based IIS servers should take immediate steps to detect and evict GhostRedirector. ESET’s white paper and independent analyses suggest the following priority actions:
- Inspect loaded modules: Use Process Explorer or PowerShell to list all DLLs loaded in w3wp.exe. Look for unsigned or unfamiliar native modules, especially in the IIS modules path or ProgramData.
- Audit HTTP logs: Search for requests matching patterns used by Rungan (e.g., /v1.0/8888/sys.html) and for sudden spikes in crawler traffic that precede ranking changes.
- Review user accounts: Check for recently created local accounts, particularly those with weak passwords or accounts that shouldn’t exist on a web server.
- Scan for webshells: Use tools like Sysinternals Streams or YARA rules to find .asp, .php, .aspx files hidden in website directories or temporary locations.
- Verify code-signing certificates: Search for binaries signed by Shenzhen Diyuan Technology Co., Ltd., or any unknown certificate in your environment.
- Isolate and rebuild: If a compromise is confirmed, isolate the host, capture a memory dump of w3wp.exe for forensics, and rebuild the system from a known-good image. In-place remediation is risky because of the deep integration of Gamshen and potential registry changes.
After rebuilding, administrators should validate crawler behavior by using a tool like Google’s URL Inspection API or manually setting a Googlebot user agent to verify that no cloaking remains. If the site has already been penalized, a reconsideration request through Google Search Console is necessary.
Long-Term Hardening Measures
Preventing similar attacks requires a defense-in-depth approach:
- Patch and harden web applications: Eliminate SQL injection vulnerabilities by using parameterized queries, input validation, and a web application firewall (WAF).
- Disable xp_cmdshell: If SQL Server is present, restrict or remove the xp_cmdshell extended stored procedure to block OS command execution from database queries.
- Restrict IIS module installation: Use application control policies (e.g., WDAC) to allow only trusted, signed modules. Regularly audit module lists.
- Monitor and alert on privilege escalation: Deploy endpoint detection and response (EDR) that flags attempts to use known LPE exploits like EfsPotato or BadPotato.
- Enforce strong authentication: Use local administrator password solutions (LAPS) to prevent rogue account creation and enforce complex passwords.
The Bigger Picture: SEO Fraud as a Service
GhostRedirector is not the first group to monetize phishing or malware through SEO manipulation, but its technical sophistication raises the bar. By combining a native backdoor with an in-process IIS module, the operators achieve a level of stealth that evades many conventional defenses. The apparent affiliate model—boosting gambling sites—suggests a mature business that may expand to other verticals like pharmaceuticals or counterfeit goods.
For the Windows and IIS community, this campaign is a stark reminder that even seemingly mundane web servers can become pawns in large-scale reputation manipulation. As search engines continue to refine their algorithms and penalties for cloaking, the attackers will likely adapt, developing new modules for Apache or NGINX or targeting other crawlers. Defenders must stay vigilant, treating every anomalous log entry as a potential indicator of a hidden backdoor that’s quietly selling their website’s trust.