China-Linked Hackers Exploit Windows Servers for Shady SEO Manipulation

A China-linked hacking group dubbed GhostRedirector has quietly breached dozens of Windows servers worldwide. Attackers leverage tools like Rungan and Gamshen to not only gain control but also hijack search engine rankings to promote shady gambling sites.

According to ESET researchers, the threat actor has compromised at least 65 Windows servers since August 2024, with most activity observed between December 2024 and June 2025. Victims are located primarily in Brazil, Thailand, Vietnam, and the United States. These attacks targetted various sectors like education, healthcare, insurance, transportation, retail, and technology.

How did the hackers infiltrated Windows Servers?

The hacking group behind the GhostRedirector campaign used a range of sophisticated tools to compromise Windows servers. These included Rungan, which is a stealthy backdoor that executes commands via specific URL patterns. They also deployed Gamshen, a malicious IIS module that manipulates search engine bots to boost gambling websites.

Additionally, the cybercriminals leveraged GoToHTTP for remote access, Zunput for reconnaissance and web shell deployment, and used privilege escalation exploits like BadPotato and EfsPotato to gain admin control. The hacking group also used obfuscated .NET tools and signed binaries to maintain persistence and evade detection.

Tools and techniques used in the attacks

The GhostRedirector gang began their campaign by exploiting vulnerabilities (most likely SQL injection flaws) in publicly accessible Windows servers. The hackers then used tools like PowerShell and CertUtil to download malware from a staging domain, which allowed them to deploy backdoors and remote access utilities.

To maintain persistence, the attackers created privileged user accounts and used privilege escalation exploits such as BadPotato and EfsPotato. They also used the Comdai tool, which is a custom-built library that functions like a backdoor. It allows hackers to communicate over networks, create admin accounts, execute files, browse directories, and tamper with services and registry settings.

Moreover, the Zunput tool was designed to scan for active websites capable of running dynamic content, gather detailed server information, and then deploy a webshell for deeper access. Finally, the attackers deployed Rungan and Gamshen payloads.

“The response is modified based on data requested dynamically from Gamshen’s C&C server. By doing this, GhostRedirector attempts to manipulate the Google search ranking of a specific, third-party website, by using manipulative, shady SEO techniques such as creating artificial backlinks from the legitimate, compromised website to the target website,” malware researcher Fernando Tavella explained.

Recommendations for defending against Windows Server attacks

To defend against cyberattacks, organizations should prioritize securing their public-facing servers, especially those running IIS. This includes regularly patching vulnerabilities and monitoring for unusual PowerShell or CertUtil activity. It’s also advised to implement strict access controls, disable unnecessary services, and audit user accounts for unauthorized admin creation.

Additionally, administrators must use endpoint detection tools to spot privilege escalation attempts and inspect IIS modules for tampering in order to catch threats early. Finally, organizations should monitor their websites for SEO manipulation and ensure their servers aren’t being used to host or promote malicious content.