'SEO fraud-as-a-service' scheme hijacks Windows servers to promote gambling websites
A previously unknown and possibly China-based hacker group has compromised at least 65 Windows servers worldwide in a fraudulent search engine optimization (SEO) scheme likely aimed at promoting gambling websites, researchers said.
The group, dubbed GhostRedirector by Slovak cybersecurity firm ESET, has been active since at least August 2024 and mainly targeted servers in Brazil, Peru, Thailand, Vietnam and the United States. Its victims came from a wide range of industries, including insurance, healthcare, retail, transportation, technology and education.
Attackers deployed two previously undocumented backdoors, named Rungan and Gamshen. Rungan allows remote command execution, while Gamshen is designed to manipulate Google search rankings by covertly promoting gambling websites, particularly those targeting Portuguese speakers.
“Gamshen probably attempts to compromise as many websites as possible and misuse their reputation to drive traffic to this third-party website,” researchers said, describing it as an “SEO fraud-as-a-service” scheme.
While Gamshen does not deliver malicious content or affect regular visitors, ESET warned that getting caught up in the scheme can damage the reputation of compromised sites by associating them with shady SEO tactics.
Gamshen is embedded directly into Microsoft’s Internet Information Services (IIS) web server, giving it deep access to traffic and making it harder to detect. GhostRedirector also deployed other tools and public exploits to create privileged accounts on targeted servers, which could be used to install additional malware or regain access if removed.
ESET assessed with “medium confidence” that the campaign was carried out by a China-aligned group. Last year, Cisco Talos researchers uncovered another China-linked campaign, DragonRank, which also abused IIS modules for SEO fraud.
While ESET noted some overlap in victim geographies and targeted sectors, the company does not believe the two operations are connected.
“It is likely these were opportunistic attacks, exploiting as many vulnerable servers as possible, rather than targeting a specific set of entities,” the researchers added.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.