CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GhostRedirector Campaign Targets Windows Servers with Rungan Backdoor and Gamshen IIS Module

First reported
Last updated
3 unique sources, 8 articles

Summary

Hide ▲

The GhostRedirector threat cluster, also known as Operation Rewrite and CL-UNK-1037, has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam, deploying the Rungan backdoor and Gamshen IIS module. The campaign, active since at least March 2025, targets various sectors and uses SEO fraud to manipulate search engine results, particularly to boost the rankings of gambling websites. The threat actor, believed to be China-aligned, employs BadIIS, a malicious native IIS module, to intercept and modify HTTP traffic, serving malicious content to site visitors. The campaign also deploys other tools for remote access, privilege escalation, and information gathering. The UAT-8099 group, similar to GhostRedirector, hijacks IIS servers to funnel mobile search engine traffic to spam advertisements and illegal gambling websites. The group targets servers in Brazil, Canada, India, Thailand, and Vietnam, using open-source web shells for initial access and privilege escalation. UAT-8099 installs the BadIIS module to intercept and manipulate HTTP traffic for SEO poisoning and malicious redirects. The attackers use BadIIS to serve SEO terms to search engine crawlers and redirect human visitors to scam websites. UAT-8099 deploys a Cobalt Strike backdoor to maintain persistent access and exfiltrate sensitive data. The group's activities are often undetected by the targeted organizations due to the stealthy nature of the attacks. Cisco Talos has detailed the full attack chain and additional findings relating to the UAT-8099 campaign, identifying several new BadIIS malware samples with altered code structures to evade detection. The group uses SoftEther VPN, EasyTier, and the FRP reverse proxy tool for persistence and deploys defense mechanisms to secure their foothold. The UAT-8099 group was first discovered in April 2025 and primarily targets mobile users, including both Android and Apple iPhone devices. The group uses the Everything tool to search for valuable data within compromised hosts. BadIIS operates in three modes: Proxy, Injector, and SEO fraud. BadIIS uses backlinking to boost website visibility and rankings. The latest campaign by UAT-8099, discovered by Cisco Talos, targets IIS servers in India, Pakistan, Thailand, Vietnam, and Japan, with a focus on Thailand and Vietnam. The group uses web shells and PowerShell to deploy the GotoHTTP tool for remote access. The campaign involves deploying tools like Sharp4RemoveLog, CnCrypt Protect, OpenArk64, and GotoHTTP. UAT-8099 creates hidden user accounts named 'admin$' and 'mysql$' to maintain access. BadIIS malware variants include BadIIS IISHijack and BadIIS asdSearchEngine, targeting specific regions. BadIIS asdSearchEngine has three variants: Exclusive multiple extensions, Load HTML templates, and Dynamic page extension/directory index. UAT-8099 is refining its Linux version of BadIIS, targeting Google, Microsoft Bing, and Yahoo! crawlers.

Timeline

  1. 04.09.2025 20:58 8 articles · 4mo ago

    GhostRedirector Campaign Compromises 65 Windows Servers with Rungan and Gamshen

    The group targets organizations such as universities, tech firms, and telecom providers. The majority of targets are mobile users, including both Android and Apple iPhone devices. The group uses SoftEther VPN, EasyTier, and the FRP reverse proxy tool for persistence. Cisco Talos identified several new BadIIS malware samples in the campaign. The new BadIIS variants have an altered code structure and functional workflow to evade detection. The group deploys defense mechanisms to prevent other threat actors from compromising the same server. The UAT-8099 group was first discovered in April 2025. The group primarily targets mobile users, including both Android and Apple iPhone devices. The group uses the Everything tool to search for valuable data within compromised hosts. BadIIS operates in three modes: Proxy, Injector, and SEO fraud. BadIIS uses backlinking to boost website visibility and rankings. The latest campaign by UAT-8099, discovered by Cisco Talos, targets IIS servers in India, Pakistan, Thailand, Vietnam, and Japan, with a focus on Thailand and Vietnam. The group uses web shells and PowerShell to deploy the GotoHTTP tool for remote access. The campaign involves deploying tools like Sharp4RemoveLog, CnCrypt Protect, OpenArk64, and GotoHTTP. UAT-8099 creates hidden user accounts named 'admin$' and 'mysql$' to maintain access. BadIIS malware variants include BadIIS IISHijack and BadIIS asdSearchEngine, targeting specific regions. BadIIS asdSearchEngine has three variants: Exclusive multiple extensions, Load HTML templates, and Dynamic page extension/directory index. UAT-8099 is refining its Linux version of BadIIS, targeting Google, Microsoft Bing, and Yahoo! crawlers.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

China-Linked APTs Deploy PeckBirdy JScript C2 Framework Since 2023

China-aligned APT actors have been using the PeckBirdy JScript-based command-and-control (C2) framework since 2023 to target Chinese gambling industries, Asian government entities, and private organizations. The framework leverages living-off-the-land binaries (LOLBins) for execution across various environments. Two campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, have been identified, each employing different tactics, including credential harvesting and malware delivery. The framework's flexibility allows it to operate across web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET, using multiple communication methods like WebSocket and Adobe Flash ActiveX objects. Additional scripts for exploitation, social engineering, and backdoor delivery have been observed, along with links to known backdoors like HOLODONUT and MKDOOR. HOLODONUT disables security features such as AMSI before executing payloads in memory, while MKDOOR disguises its network traffic as legitimate Microsoft support or activation pages and attempts to evade Microsoft Defender by altering exclusion settings. Infrastructure overlaps and shared tooling suggest SHADOW-VOID-044 is linked with UNC3569, a China-aligned group previously associated with the GRAYRABBIT backdoor. Some samples used stolen code-signing certificates to legitimize malicious Cobalt Strike payloads, and SHADOW-EARTH-045 showed weaker but notable ties to activity previously attributed to Earth Baxia. The Shadow-Void-044 campaign used stolen code-signing certificates, Cobalt Strike payloads, and exploits, including CVE-2020-16040, to maintain persistent access. The Shadow-Earth-045 campaign targeted a Philippine educational institution in July 2024, using the GrayRabbit backdoor and the HoloDonut backdoor. The threat actor behind the Shadow-Earth campaign developed a .NET executable to launch PeckBirdy with ScriptControl.

Open in new tab

PluggyApe Backdoor Targets Ukraine's Defense Forces in Charity-Themed Campaign

Ukraine's Defense Forces were targeted in a charity-themed malware campaign between October and December 2025. The campaign delivered the PluggyApe backdoor, likely deployed by the Russian threat group Void Blizzard (Laundry Bear). The attacks began with instant messages over Signal or WhatsApp, directing recipients to malicious websites posing as charitable foundations. These sites distributed password-protected archives containing PluggyApe payloads. The malware profiles the host, sends victim information to attackers, and waits for further commands. The campaign highlights the increasing use of mobile devices as prime targets due to their poor protection and monitoring. Additionally, the Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of new cyber attacks targeting its defense forces with malware known as PLUGGYAPE between October and December 2025. The threat actor is believed to be active since at least April 2024. The malware is written in Python and establishes communication with a remote server over WebSocket or Message Queuing Telemetry Transport (MQTT). The command-and-control (C2) addresses are retrieved from external paste services such as rentry[.]co and pastebin[.]com, where they are stored in base64-encoded form.

Open in new tab

GoBruteforcer Botnet Expands Attacks on Linux Servers

The GoBruteforcer botnet has expanded its attacks to target databases of cryptocurrency and blockchain projects, exploiting weak credentials and misconfigured software. Over 50,000 publicly accessible servers are vulnerable, with the botnet turning compromised machines into scanning and attack nodes. A more capable variant of the malware, written in Go, was observed in mid-2025, featuring heavier obfuscation and stronger persistence. The botnet exploits predictable usernames and weak defaults, targeting exposed services like XAMPP and WordPress admin panels. Financial motives are evident, with tools found to scan TRON balances and sweep tokens on TRON and Binance Smart Chain. On-chain analysis confirms some successful attacks, though most affected addresses held small balances. The botnet uses common operational usernames such as 'myuser' and 'appuser', and common passwords like '123321' and 'testing'. GoBruteforcer campaigns tweak the credential sets depending on the target, including cryptocurrency-themed usernames and passwords.

Open in new tab

SesameOp malware leverages OpenAI Assistants API for command-and-control

A new backdoor malware, SesameOp, uses the OpenAI Assistants API as a covert command-and-control channel. The malware was discovered during an investigation into a July 2025 cyberattack. It allowed attackers to gain persistent access to compromised environments and remotely manage backdoored devices for several months. The attackers leveraged legitimate cloud services, avoiding detection and traditional incident response measures. The malware employs a combination of symmetric and asymmetric encryption to secure communications. It uses a heavily obfuscated loader and a .NET-based backdoor deployed through .NET AppDomainManager injection into Microsoft Visual Studio utilities. The attack chain includes internal web shells and malicious processes designed for long-term espionage. The malware uses a loader component named "Netapi64.dll" and a .NET-based backdoor named "OpenAIAgent.Netapi64". The malware supports three types of values in the description field of the Assistants list retrieved from OpenAI: SLEEP, Payload, and Result. Microsoft and OpenAI collaborated to investigate the abuse of the API, leading to the disabling of the account and API key used in the attacks. The malware does not exploit a vulnerability in OpenAI's platform but misuses built-in capabilities of the Assistants API. The OpenAI Assistants API is scheduled for deprecation in August 2026 and will be replaced by a new Responses API.

Open in new tab

Flax Typhoon APT Group Exploits ArcGIS for Persistent Access

The Flax Typhoon APT group, also tracked as Ethereal Panda and RedJuliett, exploited a legitimate ArcGIS application to establish a persistent backdoor for over a year. The attack involved modifying the ArcGIS server’s Java server object extension (SOE) to function as a web shell, enabling command execution, lateral movement, and data exfiltration. The malicious SOE persisted even after remediation and patching, highlighting the need for proactive threat hunting and treating all public-facing applications as high-risk assets. The group targeted a public-facing ArcGIS server connected to an internal server, compromising a portal administrator account and deploying a malicious SOE. They used a base64-encoded payload and a hardcoded key to execute commands and upload a renamed SoftEther VPN executable for long-term access. The attack targeted IT staff workstations within the scanned subnet, demonstrating the potential for significant operational disruption and data exposure. The attackers used a public-facing ArcGIS server connected to a private, internal ArcGIS server for backend computations, a common default configuration. They sent disguised commands to the portal server, creating a hidden system directory that became Flax Typhoon's private workspace. The attackers ensured the compromised component was included in system backups, turning the organization's own recovery plan into a guaranteed method of reinfection. ReliaQuest worked with the customer organization and Esri to fully evict Flax Typhoon actors from the environment, which included rebuilding the entire server stack and deploying custom detections for the threat activity. ReliaQuest urged organizations to treat all public-facing applications as high-risk assets and recommended security teams audit and harden such applications. The researchers also highlighted the need for behavioral analytics to complement signature-based detection, as Flax Typhoon did not use any malware or known malicious files. Strong credential hygiene was emphasized, noting that a weak administrator password gave the attackers a foothold in the organization's network. ReliaQuest recommended implementing multifactor authentication and practicing the principle of least privilege to enhance security. The ArcGIS geographic information system (GIS) is developed by Esri and supports server object extensions (SOE) that can extend basic functionality. The software is used by municipalities, utilities, and infrastructure operators to manage spatial and geographic data through maps. Researchers at cybersecurity company ReliaQuest have moderate confidence that the threat actor is Flax Typhoon. The attackers used valid administrator credentials to log into a public-facing ArcGIS server linked to a private, internal ArcGIS server. The malicious SOE accepted base64-encoded commands through a REST API parameter (layer) and executed them on the internal ArcGIS server. The exchange was protected by a hardcoded secret key, ensuring only the attackers had access to this backdoor. The attackers downloaded and installed SoftEther VPN Bridge, registering it as a Windows service that started automatically. The VPN established an outbound HTTPS tunnel to the attacker's server at 172.86.113[.]142, linking the victim's internal network to the threat actor's machine. The VPN used normal HTTPS traffic on port 443, blending with legitimate traffic, and remained active even if the SOE was detected and deleted. The attackers scanned the local network, moved laterally, accessed internal hosts, dumped credentials, or exfiltrated data using the VPN connection. The attackers targeted two workstations belonging to the target organization's IT staff, attempting to dump the Security Account Manager (SAM) database, security registry keys, and LSA secrets. Flax Typhoon is known for espionage campaigns to establish long-term, stealthy access through legitimate software. The FBI linked Flax Typhoon to the massive "Raptor Train" botnet, impacting the U.S. The Treasury's Office of Foreign Assets Control (OFAC) sanctioned companies that supported the state-sponsored hackers. Esri confirmed this is the first time an SOE has been used this way and will update their documentation to warn users of the risk of malicious SOEs. The attackers used the JavaSimpleRESTSOE ArcGIS extension to invoke a REST operation to run commands on the internal server via the public portal. The attackers specifically targeted two workstations belonging to IT personnel to obtain credentials and further burrow into the network. The attackers reset the password of the administrative account.

Open in new tab