GhostRedirector Windows-server SEO fraud campaign
Campaign
Summary
Hide ▲
Show ▼
The GhostRedirector campaign has compromised at least 65 Windows servers, creating persistent footholds for SEO fraud and remote command execution. The operation deployed the Rungan backdoor and the Gamshen IIS module, which manipulates search results visible to Googlebot. Activity has been ongoing since at least August 2024 and has affected servers in Brazil, Thailand, and Vietnam. The multi-stage access pattern and long-term tooling show a coordinated operation built to sustain control and monetize compromised infrastructure.
Related Happenings
Russia-linked DRILLAPP campaign targeting Ukrainian entities
Campaign
First: 16.03.2026 11:07
Last: 16.03.2026 11:07
Sources 1
About this happening:
A **Russia-linked** campaign is targeting **Ukrainian entities** with the **DRILLAPP** browser backdoor, expanding a covert operation that uses **judicial** and **charity-themed l...
Russia-linked DRILLAPP campaign targeting Ukrainian entities
CampaignAbout this happening: A **Russia-linked** campaign is targeting **Ukrainian entities** with the **DRILLAPP** browser backdoor, expanding a covert operation that uses **judicial** and **charity-themed l...
Storm-2561 SEO-poisoning VPN credential-theft campaign
Campaign
First: 13.03.2026 15:38
Last: 13.03.2026 15:38
Sources 1
About this happening:
The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Storm-2561 SEO-poisoning VPN credential-theft campaign
CampaignAbout this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Europol-coordinated Tycoon2FA takedown
Law Enforcement
First: 04.03.2026 19:01
Last: 04.03.2026 19:01
Sources 1
About this happening:
**Europol** coordinated a law-enforcement operation that **seized 330 domains** tied to **Tycoon2FA**, disrupting a **phishing-as-a-service** platform used for **credential theft*...
Europol-coordinated Tycoon2FA takedown
Law EnforcementAbout this happening: **Europol** coordinated a law-enforcement operation that **seized 330 domains** tied to **Tycoon2FA**, disrupting a **phishing-as-a-service** platform used for **credential theft*...
Latest development: 23.03.2026 23:52
CrowdStrike observed Tycoon2FA return to pre-disruption activity levels within days after the March 4, 2026 Europol-led takedown, with daily campaign volumes on March 4 and March 5, 2026 falling to 25% of pre-disruption levels before rebounding to early 2026 levels. The phishing-as-a-service platform continued using largely unchanged TTPs against Microsoft 365 and Gmail accounts and remained active in malicious email campaigns, BEC, email thread hijacking, cloud account takeovers, and malicious SharePoint links.
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware Activity
First: 30.01.2026 14:08
Last: 30.01.2026 14:08
Sources 1
About this happening:
**BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware ActivityAbout this happening: **BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
UAT-8099 IIS SEO fraud campaign targeting vulnerable Asia-based IIS servers
Campaign
First: 30.01.2026 14:08
Last: 30.01.2026 14:08
Sources 1
About this happening:
**UAT-8099** launched a **late 2025 to early 2026** campaign against **vulnerable IIS servers** across **Asia**, with the strongest concentration in **Thailand and Vietnam**. The...
UAT-8099 IIS SEO fraud campaign targeting vulnerable Asia-based IIS servers
CampaignAbout this happening: **UAT-8099** launched a **late 2025 to early 2026** campaign against **vulnerable IIS servers** across **Asia**, with the strongest concentration in **Thailand and Vietnam**. The...
Timeline
-
04.09.2025 20:58 1 articles · 8mo ago
Initial report: GhostRedirector Windows-server SEO fraud campaign
Initial DisclosureInitial access appears to have come through a **likely SQL injection** flaw, after which **PowerShell** pulled tools from the staging domain **868id[.]com**.
Show sources
- GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module — thehackernews.com — 04.09.2025 20:58