A new threat actor, dubbed “GhostRedirector,” is conducting a sophisticated search engine optimization (SEO) manipulation campaign aimed at artificially boosting the search rankings of gambling websites, likely based in China.
The operation, which began around August 2024, involves compromising websites running on Windows Web servers and deploying malware tools to escalate privileges, maintain persistence, and manipulate Google’s website indexing crawlers. Dozens of websites have been affected, primarily in Brazil, Vietnam, and Thailand. A small number of compromised sites are based in the U.S., but appear to belong to companies with primary operations in the targeted countries.
ESET’s analysis revealed that victims span a wide range of sectors, including healthcare, education, transportation, insurance, retail, and technology, suggesting the targeting is not sector-specific.
The attack chain begins with GhostRedirector gaining initial access to Windows Web servers, likely by exploiting unpatched SQL injection vulnerabilities. Once inside, the threat actor uses PowerShell to download a suite of malware tools, including two previously unseen components that ESET tracks as Rungan and Gamshen. Privilege escalation is achieved using two known exploits, EfsPotato and BadPotato.
Rungan is a passive backdoor written in C++ that grants attackers remote access to compromised Web servers and allows them to execute arbitrary commands. Gamshen is a native Internet Information Services (IIS) component with malicious capabilities. IIS is Microsoft’s Web server software that powers many Windows-based websites. It features a modular architecture that developers can use to extend or add new Web server features of their own. Once installed, a native IIS component operates at the server level with high privileges, making it hard to detect and remove.
Gamshen’s primary function is to secretly inject links to websites that GhostRedirector wants to promote. When Google’s Googlebot visits a compromised website to index it, Gamshen detects the search engine crawler and injects links pointing to the target website into the page content. This creates backlinks from legitimate, but compromised, websites, artificially boosting the search rankings of the targeted gambling websites.
ESET described malicious IIS extensions like Gamshen as tools to “intercept HTTP requests incoming to the compromised IIS server and affect how the server responds to (some of) these requests.” Microsoft has also acknowledged the threat posed by malicious IIS extensions, warning that adversaries can use them to establish persistent backdoors into critical Web servers.
Splunk issued a warning in July about threat actors combining exploits for multiple crucial SharePoint vulnerabilities with malicious IIS modules to achieve deep persistence on vulnerable systems. According to Microsoft, IIS backdoors are difficult to detect because “they mostly reside in the same directories as legitimate modules used by target applications and they follow the same code structure as clean modules.”
GhostRedirector is not the first China-based threat actor to employ SEO poisoning techniques. Cisco Talos reported last year that DragonFly, another Chinese actor, used a similar technique with malware called BadIIS.
ESET recommends that organizations use dedicated accounts, strong passwords, and multi-factor authentication for IIS server administrators. The company also advises that administrators ensure native IIS modules can only be installed from trusted sources and are signed by a trusted provider.
