A stealthy campaign that has compromised at least 65 Internet-facing Windows IIS servers worldwide is using a pair of previously unseen native implants to convert legitimate websites into invisible doorways for gambling SEO fraud. Dubbed GhostRedirector by researchers at ESET, the operation pairs a C/C++ backdoor called Rungan with an in-process IIS module named Gamshen, creating a persistent and difficult-to-detect infrastructure that serves cloaked content exclusively to search engine crawlers while leaving human visitors unaffected.
The attackers have been active since at least August 2024 and have wormed their way into organizations across education, healthcare, insurance, retail, transportation, and technology sectors, with the highest concentration of victims in Brazil, Thailand, Vietnam, Peru, and the United States. ESET, which disclosed the campaign this week, explicitly notes that the 65-host count is a conservative minimum—many more servers are likely compromised but remain undetected because standard audits and signature-based scans fail to spot the dynamic, crawler-only manipulation.
How the Campaign Operates
The GhostRedirector intrusion chain follows a well-worn path of initial access through web-facing vulnerabilities, likely SQL injection and similar exploits, followed by deployment of web shells and downloaders. Once inside, the actors abuse public privilege-escalation exploits from the “Potato” family (EfsPotato, BadPotato, and relatives) to gain SYSTEM-level rights, which are necessary to register native IIS modules and tamper with service configurations. Multiple redundant persistence mechanisms are then laid down.
The campaign’s core tools are Rungan and Gamshen, both written in native code with no .NET dependencies. Rungan is deployed as a DLL—typically named miniscreen.dll and dropped into C:\ProgramData\Microsoft\DRM\log—and can run as a service or operate standalone. It acts as a passive backdoor, registering HTTP listeners through the Windows HTTP Server API to accept commands remotely without aggressive beaconing. An embedded AES-CBC-encrypted configuration helps it avoid detection, and because the listeners are independent of IIS, they often fly under the radar of web-content audits.
Gamshen, the module responsible for the SEO fraud, is loaded directly into the IIS worker process (w3wp.exe) as a native DLL. Appearing under names like ManagedEngine64_v2.dll or ManagedEngine32_v2.dll, it hooks into OnBeginRequest and OnSendResponse pipeline events. When a request arrives from a search engine crawler—identified by user-agent strings and possibly IP ranges—Gamshen injects or redirects to content that promotes third-party gambling sites. Regular site visitors see the genuine, unmodified pages. The injected content never touches the disk, making file-system scans useless. If the remote command-and-control endpoints fail, the module falls back to a set of predefined doorway pages or link lists.
By hijacking the trust and authority of the compromised domains, the attackers effectively rent out the SEO value to gambling operators, turning the infected servers into an “SEO fraud-as-a-service” platform. The majority of the promoted gambling sites target Portuguese speakers, aligning with the geographic victim profile.
Attribution and Ties to Similar Campaigns
ESET assesses with medium confidence that the GhostRedirector operation is China-aligned, based on build artifacts, Chinese-language strings in the code, code-signing certificate provenance, and tooling overlaps. However, the researchers caution that attribution is probabilistic and should not be taken as definitive proof. Last year, Cisco Talos reported on a comparable campaign called DragonRank, which also abused IIS modules for SEO manipulation. Although GhostRedirector shares some victim geographies and sectors with DragonRank, ESET does not believe the two are directly connected.
Both campaigns reflect a broader trend: criminals are increasingly moving away from noisy ransomware and data theft toward stealthy, long-term monetization through reputation abuse. SEO fraud is low-risk compared with ransomware, and the infrastructure can be reused for years if it goes undetected.
Why IIS Administrators Should Care
The most immediate danger of GhostRedirector is the permanent backdoor access that Rungan grants attackers. But the longer-term business risk is the silent erosion of search-engine reputation. Google and other search engines penalize sites that use cloaking or participate in link schemes, and a compromised domain can be deindexed or severely demoted. Recovery is slow and expensive, especially for organizations that depend on organic search traffic.
Compounding the problem, the campaign’s layered persistence makes cleanup difficult. Even if a defender removes Gamshen, the Rungan backdoor and any local privileged accounts (ESET observed accounts like MysqlServiceEx and Admin) can be used to reinstall the modules or pivot to other parts of the network. Partial remediation almost guarantees reinfection.
Detection and Hunting Steps
Because native IIS modules and passive HTTP listeners leave scant traces, defenders must proactively hunt for indicators of compromise. ESET recommends these immediate actions:
- Enumerate all IIS native modules using
appcmd list modulesor by inspectingapplicationHost.config. Look for unfamiliar DLLs, especially those namedManagedEngine64_v2.dllorManagedEngine32_v2.dll. - Search for known artifacts on disk and in registries:
miniscreen.dllunderC:\ProgramData\Microsoft\DRM\loglink.exe(a GoToHTTP helper) in unusual locations- Unexpected service DLL modifications pointing to these files
- Test for crawler cloaking by sending identical requests with a Googlebot user-agent and a normal browser user-agent from trusted IPs. Any difference in response content, redirects, or injected links is a red flag.
- Monitor for privilege escalation artifacts with Sysmon or EDR, focusing on token impersonation (
CreateProcessWithToken,CreateProcessAsUser), named pipe creation, and unexpected HTTP Server API listener registrations. - Audit local users and groups for recently created accounts and revoke any that are unrecognized.
If any evidence of compromise is found, a full rebuild from known-good media is the only reliable remediation. Network isolation should be enforced during the rebuild to prevent lateral movement.
Hardening Against Future Attacks
Preventing GhostRedirector and similar campaigns requires a combination of patching, configuration hardening, and behavioral monitoring.
- Keep IIS and Windows Server fully patched. The initial access vectors are often known web-application vulnerabilities. Regular vulnerability scanning and penetration testing of public-facing applications are critical.
- Remove or disable unnecessary IIS modules. Every loaded module expands the attack surface; if you don’t need it, unload it.
- Deploy Sysmon or equivalent EDR with a ruleset that captures token manipulation, pipe activity, and unexpected DLL loads into
w3wp.exeor other processes. - Enforce code-signing policies where feasible, and verify the certificates of binaries running on your servers. The GhostRedirector actors abused legitimate code-signing certificates, so trust but verify.
- Integrate SEO monitoring into incident response planning. Unexpected changes in search rankings, backlink profiles, or the appearance of unrelated keywords can be an early warning of a cloaking compromise.
The Bigger Picture
GhostRedirector is a clear example of how cybercriminals are commoditizing server infrastructure. By trojanizing IIS servers and manipulating what search engines see, the attackers create a durable, scalable business that harms both the victims and the internet ecosystem. For Windows and IIS administrators, this campaign underscores that web server security is no longer just about keeping attackers out—it’s also about protecting the reputation your domain carries. The immediate hunt for unauthorized modules and crawler cloaking should be a top priority, and any confirmed compromise should trigger a full incident response process that treats SEO integrity as a core security objective, not an afterthought.