GhostRedirector Campaign Targets Windows Servers with Rungan Backdoor and Gamshen IIS Module
Summary
Hide ▲
Show ▼
The GhostRedirector threat cluster, also known as Operation Rewrite and CL-UNK-1037, has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam, deploying the Rungan backdoor and Gamshen IIS module. The campaign, active since at least March 2025, targets various sectors and uses SEO fraud to manipulate search engine results, particularly to boost the rankings of gambling websites. The threat actor, believed to be China-aligned, employs BadIIS, a malicious native IIS module, to intercept and modify HTTP traffic, serving malicious content to site visitors. The campaign also deploys other tools for remote access, privilege escalation, and information gathering. ESET recommends using dedicated accounts, strong passwords, and multifactor authentication for IIS server administrators, as well as ensuring native IIS modules are installed only from trusted sources and are signed by a trusted provider.
Timeline
-
04.09.2025 20:58 4 articles · 25d ago
GhostRedirector Campaign Compromises 65 Windows Servers with Rungan and Gamshen
The campaign has been active since at least March 2025. The campaign uses compromised servers as reverse proxies to manipulate search engine results. The campaign targets users in East and Southeast Asia. The campaign involves injecting compromised websites with keywords to improve SEO rankings. The campaign uses a two-phase attack flow involving luring search engines and trapping victims. The campaign uses custom implants tailored to manipulate search engine results and control traffic flow. The campaign exfiltrates web application source code from compromised servers. The campaign uploads BadIIS implants as DLL files to compromised web servers. The campaign's BadIIS module identifies search engine crawlers and serves poisoned content. The campaign redirects victims to scam websites upon clicking poisoned search results.
Show sources
- GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module — thehackernews.com — 04.09.2025 20:58
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
Information Snippets
-
The GhostRedirector campaign has compromised at least 65 Windows servers.
First reported: 04.09.2025 20:582 sources, 3 articlesShow sources
- GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module — thehackernews.com — 04.09.2025 20:58
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
-
The primary targets are in Brazil, Thailand, and Vietnam, with additional targets in Peru, the U.S., Canada, Finland, India, the Netherlands, the Philippines, and Singapore.
First reported: 04.09.2025 20:582 sources, 3 articlesShow sources
- GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module — thehackernews.com — 04.09.2025 20:58
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
-
The campaign deploys the Rungan backdoor and Gamshen IIS module.
First reported: 04.09.2025 20:582 sources, 3 articlesShow sources
- GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module — thehackernews.com — 04.09.2025 20:58
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
-
Rungan is a C++ backdoor that executes commands on compromised servers.
First reported: 04.09.2025 20:582 sources, 3 articlesShow sources
- GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module — thehackernews.com — 04.09.2025 20:58
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
-
Gamshen is an IIS module that manipulates search engine results for SEO fraud.
First reported: 04.09.2025 20:582 sources, 3 articlesShow sources
- GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module — thehackernews.com — 04.09.2025 20:58
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
-
The campaign uses SQL injection vulnerabilities to gain initial access.
First reported: 04.09.2025 20:582 sources, 3 articlesShow sources
- GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module — thehackernews.com — 04.09.2025 20:58
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
-
PowerShell scripts are used to deliver additional tools from a staging server.
First reported: 04.09.2025 20:582 sources, 3 articlesShow sources
- GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module — thehackernews.com — 04.09.2025 20:58
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
-
The threat actor is believed to be China-aligned based on code strings, certificate issuance, and user passwords.
First reported: 04.09.2025 20:581 source, 1 articleShow sources
- GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module — thehackernews.com — 04.09.2025 20:58
-
The campaign targets various sectors, including education, healthcare, insurance, transportation, technology, and retail.
First reported: 04.09.2025 20:582 sources, 3 articlesShow sources
- GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module — thehackernews.com — 04.09.2025 20:58
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
-
The GhostRedirector campaign uses EfsPotato and BadPotato exploits for privilege escalation.
First reported: 04.09.2025 23:591 source, 1 articleShow sources
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59
-
Gamshen is implemented as a native IIS component, making it hard to detect and remove.
First reported: 04.09.2025 23:592 sources, 2 articlesShow sources
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
-
Gamshen intercepts HTTP requests to affect server responses, boosting target website rankings.
First reported: 04.09.2025 23:592 sources, 2 articlesShow sources
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
-
The campaign targets gambling websites to artificially boost their search rankings.
First reported: 04.09.2025 23:592 sources, 2 articlesShow sources
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
-
Microsoft has acknowledged the threat of malicious IIS extensions and their use for persistence.
First reported: 04.09.2025 23:592 sources, 2 articlesShow sources
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
-
ESET recommends using dedicated accounts, strong passwords, and multifactor authentication for IIS server administrators.
First reported: 04.09.2025 23:591 source, 1 articleShow sources
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59
-
ESET advises ensuring native IIS modules are installed only from trusted sources and are signed by a trusted provider.
First reported: 04.09.2025 23:591 source, 1 articleShow sources
- Chinese Hackers Game Google to Boost Gambling Sites — www.darkreading.com — 04.09.2025 23:59
-
The campaign is tracked by Palo Alto Networks Unit 42 as Operation Rewrite and CL-UNK-1037.
First reported: 23.09.2025 11:132 sources, 2 articlesShow sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
The threat actor shares infrastructure and architectural overlaps with Group 9 and DragonRank.
First reported: 23.09.2025 11:132 sources, 2 articlesShow sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
BadIIS is a malicious native IIS module used for SEO poisoning.
First reported: 23.09.2025 11:132 sources, 2 articlesShow sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
BadIIS intercepts and modifies HTTP traffic to serve malicious content.
First reported: 23.09.2025 11:132 sources, 2 articlesShow sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
The campaign uses three variants of BadIIS modules for SEO poisoning.
First reported: 23.09.2025 11:132 sources, 2 articlesShow sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
The threat actor creates new local user accounts and drops web shells for persistent access.
First reported: 23.09.2025 11:132 sources, 2 articlesShow sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
The campaign uses a reverse proxy mechanism to manipulate search engine results.
First reported: 23.09.2025 11:132 sources, 2 articlesShow sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
The threat actor is assessed with high confidence to be Chinese-speaking based on linguistic evidence and infrastructure links.
First reported: 23.09.2025 11:132 sources, 2 articlesShow sources
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells — thehackernews.com — 23.09.2025 11:13
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
The campaign has been active since March 2025.
First reported: 23.09.2025 13:471 source, 1 articleShow sources
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
The campaign uses compromised servers as reverse proxies to manipulate search engine results.
First reported: 23.09.2025 13:471 source, 1 articleShow sources
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
The campaign targets users in East and Southeast Asia.
First reported: 23.09.2025 13:471 source, 1 articleShow sources
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
The campaign involves injecting compromised websites with keywords to improve SEO rankings.
First reported: 23.09.2025 13:471 source, 1 articleShow sources
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
The campaign uses a two-phase attack flow involving luring search engines and trapping victims.
First reported: 23.09.2025 13:471 source, 1 articleShow sources
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
The campaign uses custom implants tailored to manipulate search engine results and control traffic flow.
First reported: 23.09.2025 13:471 source, 1 articleShow sources
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
The campaign exfiltrates web application source code from compromised servers.
First reported: 23.09.2025 13:471 source, 1 articleShow sources
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
The campaign uploads BadIIS implants as DLL files to compromised web servers.
First reported: 23.09.2025 13:471 source, 1 articleShow sources
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
The campaign's BadIIS module identifies search engine crawlers and serves poisoned content.
First reported: 23.09.2025 13:471 source, 1 articleShow sources
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
-
The campaign redirects victims to scam websites upon clicking poisoned search results.
First reported: 23.09.2025 13:471 source, 1 articleShow sources
- SEO Poisoning Campaign Tied to Chinese Actor — www.darkreading.com — 23.09.2025 13:47
Similar Happenings
Exploitation of Ivanti EPMM Vulnerabilities (CVE-2025-4427, CVE-2025-4428) Leads to Malware Deployment
Two malware strains were discovered in an organization's network after attackers exploited two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, allow for authentication bypass and remote code execution, respectively. Attackers used these flaws to gain access to the EPMM server, execute arbitrary code, and maintain persistence. The attack began around May 15, 2025, following the publication of a proof-of-concept exploit. The malware sets include loaders that enable arbitrary code execution and data exfiltration. The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. A China-nexus espionage group was leveraging the vulnerabilities since at least May 15, 2025. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. Organizations are advised to update their EPMM instances, monitor for suspicious activity, and implement access restrictions to prevent unauthorized access to mobile device management systems.
TA558 Uses AI-Generated Scripts to Deliver Venom RAT in Brazil Hotel Attacks
TA558, tracked as RevengeHotels, has launched new attacks targeting hotels in Brazil and Spanish-speaking markets. The group uses AI-generated scripts to deploy Venom RAT via phishing emails. The campaign aims to capture credit card data from guests and travelers. The threat actor has been active since 2015, focusing on hospitality and travel sectors. They have historically used various RATs and custom malware to achieve their goals. The latest campaign involves phishing emails with Portuguese and Spanish lures, leading to the download of malicious scripts and payloads. Venom RAT, based on Quasar RAT, includes features like data exfiltration, reverse proxy, and anti-kill mechanisms. It spreads via USB drives and disables Microsoft Defender Antivirus.
RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare
The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.
Vane Viper Cybercrime Operation Linked to PropellerAds and AdTech Holding
The cybercrime operation Vane Viper, active for over a decade, is supported by the commercial digital advertising platform PropellerAds and its parent company AdTech Holding. Vane Viper exploits hundreds of thousands of compromised websites and malicious ads to redirect users to exploit kits, malware droppers, botnets, scams, and ransomware. The operation uses a traffic distribution system (TDS) to create complex redirection chains, making it difficult for security researchers to analyze. Vane Viper is one of the most prevalent threat groups observed in the past year, appearing in about half of Infoblox's customer networks and accounting for approximately 1 trillion DNS queries. The operation features 'CDN-grade infrastructure' that poses a risk to both consumers and enterprise users. Researchers have uncovered evidence tying Vane Viper directly to PropellerAds and AdTech Holding, indicating that the threat group is not just hiding behind the adtech platform but is integral to it. The operation has been linked to various malicious activities, including malvertising campaigns, malware droppers, phishing campaigns, tech support scams, infostealer campaigns, and botnets. Vane Viper has been found to register vast numbers of new domains each month, scaling a high of 3,500 domains in October 2024, and has been linked to the Android malware called Triada.
SlopAds Fraud Ring Exploits 224 Android Apps for Ad Fraud
A sophisticated ad fraud operation, SlopAds, exploited 224 Android apps to generate 2.3 billion daily ad bids. The apps, downloaded 38 million times across 228 countries, used steganography and hidden WebViews to create fraudulent ad impressions and clicks. The fraud was conditional, activating only if the app was installed via an ad click. Google removed the offending apps from the Play Store and updated Google Play Protect to warn users. The operation leveraged AI-themed services and a complex command-and-control infrastructure. The fraudulent behavior was designed to evade detection by blending malicious traffic into legitimate campaign data. The SlopAds campaign was discovered by HUMAN's Satori Threat Intelligence team, which identified the apps as 'AI slop' due to their mass-produced appearance and AI-themed services. The apps used Firebase Remote Config to download an encrypted configuration file containing URLs for the ad fraud malware module, cashout servers, and a JavaScript payload. The campaign included numerous command-and-control servers and more than 300 related promotional domains, suggesting the threat actors planned further expansion.