Security researchers have uncovered a sophisticated new threat actor exploiting Windows servers worldwide to manipulate Google search rankings while maintaining persistent backdoor access to compromised systems.
ESET researchers discovered the previously unknown group, dubbed "GhostRedirector," which has compromised at least 65 Windows servers across Brazil, Thailand, and Vietnam since December 2024. The attackers deployed two custom-built tools that showcase an unusual dual-purpose strategy: traditional cyber espionage combined with search engine optimization (SEO) fraud.
The attack begins with SQL injection vulnerabilities on Windows servers, allowing hackers to download their malicious toolkit from a staging server. Once inside, they deploy "Rungan," a passive C++ backdoor that listens for incoming HTTP requests on a specific URL pattern, enabling remote command execution without establishing outbound connections that might trigger security alerts.
More notably, the group installs "Gamshen," a malicious Internet Information Services (IIS) module that specifically targets Google's web crawler (Googlebot).
When Googlebot visits a compromised website, Gamshen dynamically modifies the page content with data from command-and-control servers, artificially boosting search rankings for gambling websites. Regular visitors see normal content, making the manipulation nearly invisible.
"This represents SEO fraud as-a-service," ESET researchers explained, noting similarities to previous China-aligned groups conducting similar operations. The attackers use legitimate-appearing domains and valid code-signing certificates to avoid detection.
GhostRedirector demonstrates operational sophistication by deploying multiple persistence mechanisms, including privilege escalation exploits (BadPotato and EfsPotato), webshells, and rogue administrator accounts. This multi-layered approach ensures continued access even if primary backdoors are discovered and removed.
The campaign primarily targets diverse sectors, including healthcare, education, retail, and transportation, suggesting opportunistic rather than sector-specific targeting.
Protection measures include: regularly updating server software, monitoring for unusual PowerShell executions from SQL Server processes, implementing robust SQL injection defenses, and conducting regular audits of IIS modules and user accounts with administrative privileges.