iGamingNews – новости iGaming

GhostRedirector Hackers Target Windows Servers via IIS and SEO Fraud

GhostRedirector Hackers Target Windows Servers via IIS and SEO Fraud

Researchers at ESET have uncovered a likely China-linked cyber group dubbed GhostRedirector, which since August 2024 has compromised at least 65 Windows servers running IIS to manipulate Google search rankings in favor of iGaming websites.

The main targets so far are located in Brazil, Vietnam, and Thailand.

Who Are GhostRedirector

According to ESET, GhostRedirector is a newly identified group, first spotted in late 2024. Evidence strongly suggests ties to China. The attacks involve custom tools, privilege-escalation exploits, and the deployment of malicious modules into IIS (Internet Information Services).

Indicators of Chinese Origin

  • Chinese-language strings were found in the code.
  • A certificate issued by a Chinese company was used.
  • Account passwords included the word “huang” (Chinese for “yellow”).

Main Tools Used by the Group

The Rungan Backdoor

Rungan is a passive C++ backdoor designed to execute commands on the compromised server. Its primary role is to maintain persistent access and control.

The Gamshen Module

Gamshen is injected into IIS as a native module. Its purpose is SEO fraud: it modifies server responses specifically for Googlebot, inserting links to online casinos and gambling sites. For normal visitors, the pages appear unchanged.

This allows attackers to stealthily boost gambling sites in search rankings while damaging the reputation of the compromised servers by associating them with black-hat SEO schemes.

Attack Methods

Initial Access

ESET analysts believe GhostRedirector gains entry via SQL injection. Malicious files are then downloaded from a command server using PowerShell or the CertUtil tool.

Privilege Escalation

The exploits BadPotato and EfsPotato were used to escalate privileges. This enabled attackers to create hidden admin-level accounts, install additional malware, and maintain access even if the backdoor was removed.

Attack Tools

Tool Purpose
Rungan Execute commands on the server, provide covert access
Gamshen SEO fraud, promote gambling sites
BadPotato / EfsPotato Privilege escalation, creation of hidden accounts
GoToHTTP Remote browser-based connection to the server

Geographic Spread of Attacks

As of June 2025, ESET reported at least 65 compromised servers. The majority of victims are located in:

  • Brazil,
  • Vietnam,
  • Thailand,
  • Peru,
  • United States.

Isolated cases were also observed in Canada, India, Finland, the Netherlands, the Philippines, and Singapore.

Affected organizations span multiple industries, including insurance, healthcare, transportation, education, retail, and technology.

Consequences of the Attacks

While end users were not directly infected, the server compromises resulted in:

  • Damage to organizational reputation;
  • Decreased trust from search engines;
  • Involvement in gray-hat SEO schemes;
  • Potential loss of administrative control over systems.

Conclusions

GhostRedirector relies on a mix of backdoors, exploits, and IIS modules to push iGaming websites. Experts believe the campaign was large-scale and targeted servers with vulnerable software.

Microsoft has warned that malicious IIS modules are especially difficult to detect since they run with high-level privileges at the server layer.