Full Report
ESET researchers have identified a new threat actor targeting Windows servers with a passive C++ backdoor and a malicious IIS module that manipulates Google search results
Analysis Summary
# Threat Actor: GhostRedirector
## Attribution & Identity
* **Identified Name:** GhostRedirector.
* **Attribution Confidence:** Medium confidence, believed to be a previously unknown, China-aligned threat actor.
* **Evidence for Attribution:** Hardcoded Chinese strings in multiple tools, the use of a code-signing certificate issued to a Chinese company, and a malicious user password ("/huang/", Chinese for yellow) on compromised servers.
* **Associated Groups/Known Aliases:** None explicitly linked; designated as a new cluster of activity.
## Activity Summary
GhostRedirector has been active since at least August 2024, with observed compromises occurring in June 2025. The primary activity involves compromising Windows servers using custom tools (Rungan backdoor and Gamshen IIS module) to primarily conduct SEO fraud-as-a-service, specifically to artificially promote gambling websites by manipulating Google search results.
## Tactics, Techniques & Procedures
* **Initial Access/Execution:** Event Triggered Execution via the malicious IIS module Gamshen (loaded by `w3wp.exe` upon receiving an HTTP request).
* **Privilege Escalation:**
* Relies on publicly known exploits: EfsPotato and BadPotato for creating a privileged user.
* [T1134] Access Token Manipulation (Local Privilege Escalation).
* [T1112] Modify Registry (RID hijacking).
* **Defense Evasion:**
* [T1027] Obfuscated Files or Information (.NET Reactor used to obfuscate privilege escalation tools).
* [T1027.009] Obfuscated Files or Information: Embedded Payloads (embedding webshells like Zunput).
* [T1140] Deobfuscate/Decode Files or Information (Rungan uses AES in CBC mode to decrypt strings).
* **Discovery:**
* [T1083] File and Directory Discovery (using the Zunput payload).
* **Command and Control (C2):**
* [T1219] Remote Access Software (potential use of GoToHTTP).
* [T1071.001] Application Layer Protocol: Web Protocols (Rungan uses HTTP for communication).
* [T1105] Ingress Tool Transfer (abuse of `certutil.exe` to download malware).
* [T1008] Fallback Channels (maintaining access via GoToHTTP or pre-created malicious users).
* **Impact:**
* [T1565] Data Manipulation (modifying server responses specifically for Googlebot to influence search result rankings).
## Targeting
* **Sectors:** Diverse sectors including insurance, healthcare, retail, transportation, technology, and education.
* **Geography:** Primarily Brazil, Thailand, and Vietnam.
* **Victims:** At least 65 Windows servers compromised.
## Tools & Infrastructure
* **Malware Families/Custom Tools:**
* **Rungan:** A passive C++ backdoor capable of executing commands.
* **Gamshen:** A malicious native IIS module used for SEO fraud.
* **Zunput:** Embedded webshell deployed for file/directory discovery.
* **Exploits/Public Tools Used:** EfsPotato, BadPotato (for privilege escalation).
* **Remote Access Tools:** GoToHTTP (potential).
* **Infrastructure:** A shared staging server was identified across various samples.
## Implications
GhostRedirector represents a sophisticated threat actor leveraging native web server components (IIS modules) for non-traditional objectives (SEO fraud/gambling promotion) while maintaining backdoor access for potential future malicious activity. The use of custom tooling suggests a dedicated development pipeline, and the reliance on both custom components and known privilege escalation exploits indicates a pragmatic approach to gaining and maintaining high-level access on targeted Windows servers.
## Mitigations
* Monitor for suspicious activity related to IIS Worker Processes (`w3wp.exe`).
* Review and secure Windows servers against known privilege escalation exploits like EfsPotato and BadPotato.
* Implement robust network monitoring for outbound connections, especially those involving `certutil.exe` for unusual downloads.
* Regularly audit IIS configuration for unauthorized native or managed modules.
* Investigate uncharacteristic search result rankings for associated public-facing web properties, as search engine manipulation is a primary objective.