Cybersecurity researchers have uncovered GhostRedirector, a threat cluster targeting Windows servers for SEO fraud and remote access. This campaign involves malicious IIS modules, backdoors, and privilege escalation tools, with a suspected China affiliation. #GhostRedirector #IISerpent
Keypoints
- GhostRedirector has compromised at least 65 Windows servers mainly in Brazil, Thailand, and Vietnam.
- The threat uses a passive backdoor called Rungan and an IIS module named Gamshen for SEO fraud and remote access.
- The initial breach likely exploits SQL injection vulnerabilities followed by PowerShell-based tool deployment.
- Gamshen hijacks search engine crawlers to manipulate search rankings and promote shady websites, including gambling sites.
- The threat actor is believed to be China-aligned, utilizing Chinese code and infrastructure in the attack operations.
Read More: https://thehackernews.com/2025/09/ghostredirector-hacks-65-windows.html