CyberHappenings logo
☰
🏠 Home 📂 Browse ℹī¸ About

GhostRedirector Compromises 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module

First reported
Last updated
📰 2 unique sources, 2 articles

Summary

Hide ▲

GhostRedirector, a previously undocumented threat cluster, has compromised at least 65 Windows servers primarily in Brazil, Thailand, and Vietnam. The attacks, active since at least August 2024, deployed the Rungan backdoor and Gamshen IIS module. Rungan executes commands on compromised servers, while Gamshen manipulates search engine results for SEO fraud. The threat actor targets various sectors, including education, healthcare, technology, transportation, insurance, and retail, using SQL injection vulnerabilities for initial access. The group is assessed with medium confidence to be China-aligned. The operation involves using PowerShell to download malware tools and exploits like EfsPotato and BadPotato for privilege escalation.

Timeline

  1. 04.09.2025 20:58 📰 2 articles

    GhostRedirector Compromises 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module

    GhostRedirector, a previously undocumented threat cluster, has compromised at least 65 Windows servers primarily in Brazil, Thailand, and Vietnam. The attacks, active since at least August 2024, deployed the Rungan backdoor and Gamshen IIS module. Rungan executes commands on compromised servers, while Gamshen manipulates search engine results for SEO fraud. The threat actor targets various sectors, including education, healthcare, technology, transportation, insurance, and retail, using SQL injection vulnerabilities for initial access. The group is assessed with medium confidence to be China-aligned. The operation involves using PowerShell to download malware tools and exploits like EfsPotato and BadPotato for privilege escalation. Gamshen is implemented as a native IIS component with malicious capabilities, intercepting HTTP requests to serve links to websites GhostRedirector wants to promote. Microsoft has warned about the threat of malicious IIS modules. ESET recommends using dedicated accounts, strong passwords, and multifactor authentication for IIS server administrators.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

APT41 Targets U.S. Trade Officials in Cyber Espionage Campaign

The House Select Committee on China has issued a warning about ongoing cyber espionage campaigns by China-linked APT41 targeting U.S. trade officials and related organizations. The attacks involve phishing emails impersonating U.S. officials to steal sensitive information. The campaign coincides with contentious U.S.-China trade negotiations. The threat actors exploit software and cloud services to cover their tracks. The attacks aim to steal valuable data and gain unauthorized access to systems. The committee has noted similar tactics used in previous campaigns, including a January 2025 spear-phishing attempt targeting committee staffers. The FBI is investigating the ongoing cyber espionage campaign. APT41 has been known to conduct financially motivated activities in addition to state-sponsored espionage. The group has targeted various sectors, including logistics, utilities, healthcare, high-tech, and telecommunications. The committee recommends user awareness phishing training, mandatory multifactor authentication, FIDO keys, and appropriate email gateway and endpoint security tools to mitigate such attacks.

Open in new tab

Multi-year phishing-as-a-service operation on Google Cloud and Cloudflare

A large-scale phishing-as-a-service (PhaaS) operation has been running undetected for over three years on Google Cloud and Cloudflare platforms. The scheme involved 48,000 hosts and 80 clusters, using expired domains to impersonate high-profile brands and deliver malware and gambling content. The operation exposed companies to regulatory and legal risks and victims to credential theft and data exposure. The campaign was discovered by Deep Specter Research, which found that the operation used cloaking techniques to manipulate search engine rankings and hide illicit content. The infrastructure included 86 physical IP addresses on Google Cloud in Hong Kong and Taiwan, along with 44,000 virtual IP addresses from Google Cloud and 4,000 from other providers. The operation impacted 200 known organizations, including Fortune 500 companies. The discovery highlights the need for companies to actively monitor and secure their expired or dormant domains to prevent such abuses.

Open in new tab

Iranian Homeland Justice Group Targets Global Embassies in Phishing Campaign

An Iranian-aligned group, Homeland Justice, has conducted a coordinated, multi-wave spear-phishing campaign targeting embassies and consulates in Europe and other regions. The campaign involves sending spear-phishing emails disguised as legitimate diplomatic communications to deploy malware. The phishing emails exploit geopolitical tensions and use compromised email accounts to send malicious Microsoft Word documents. The malware establishes persistence, contacts a command-and-control server, and harvests system information. The campaign is part of a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension. The campaign began on August 19, 2025, and targeted around four dozen embassies, consulates, and government ministries globally, as well as various international organizations. The campaign is assessed to have concluded shortly after it began, with the attackers' command-and-control infrastructure appearing inactive.

Open in new tab

Lazarus Group Deploys PondRAT, ThemeForestRAT, and RemotePE in DeFi Sector Attack

The North Korea-linked Lazarus Group targeted a decentralized finance (DeFi) organization in 2024 using a social engineering campaign that deployed three distinct malware families: PondRAT, ThemeForestRAT, and RemotePE. The attack began with impersonation on Telegram and fake scheduling websites, leading to the compromise of an employee's system. The attackers used various tools for discovery, credential harvesting, and proxy connections. The attack progressed through multiple stages, employing different remote access trojans (RATs) to maintain stealth and control. The initial compromise involved the deployment of PondRAT, a simplified variant of POOLRAT, which facilitated further infiltration. ThemeForestRAT was used for more advanced tasks, and RemotePE, a sophisticated RAT, was deployed for high-value targets. The attack showcased the group's evolving tactics and the use of multiple malware families to achieve their objectives.

Open in new tab

Ukrainian Network FDN3 Conducts Large-Scale Brute-Force Attacks on SSL VPN and RDP Devices

A Ukrainian IP network, FDN3 (AS211736), has been identified as the source of extensive brute-force and password spraying attacks targeting SSL VPN and RDP devices. These attacks occurred between June and July 2025 and involved multiple interconnected autonomous systems. The campaign is linked to broader abusive infrastructure, including networks in Ukraine and Seychelles, and is associated with bulletproof hosting services. The attacks aimed to gain initial access to corporate networks, a tactic used by various ransomware-as-a-service (RaaS) groups. The network's activities are part of a larger pattern of malicious behavior facilitated by offshore ISPs, which provide anonymity and enable continued abusive activities.

Open in new tab