A previously undocumented threat group has compromised at least 65 Windows IIS servers with two custom-built tools designed for stealthy SEO fraud and persistent backdoor access. Dubbed GhostRedirector by ESET researchers, the China-aligned actor deployed a native IIS module called Gamshen that alters web responses only for search engine crawlers, manipulating Google rankings to promote third-party gambling sites while leaving regular visitor traffic untouched. The campaign, active between December 2024 and April 2025 with new victims found in a June 2025 internet scan, strikes across Brazil, Thailand, Vietnam, the United States, and several other countries, with no single industry spared—education, healthcare, insurance, retail, and technology organizations have all been hit.

This dual-pronged approach blends financial motivation with operational resilience. Alongside the cloaking module, GhostRedirector uses a passive C++ backdoor called Rungan for remote command execution, service manipulation, and registry persistence. The attackers chain web shells, publicly known privilege escalation exploits like EfsPotato and BadPotato, rogue user accounts, and scheduled tasks to lock down long-term access. Even if defenders remove one implant, fallback mechanisms allow re-compromise. The result is a campaign that silently monetizes infected infrastructure while evading routine audits and signature-based defenses.

Gamshen: The IIS Module Designed for Cloaking

At the heart of GhostRedirector’s SEO fraud operation is Gamshen, a malicious native IIS module registered as a DLL and loaded into the w3wp.exe worker process. From that privileged position, it inspects every incoming HTTP request and selectively alters responses when it detects known crawler user-agent strings or IP ranges belonging to Googlebot, Bingbot, and similar services. When a search engine crawler fetches a page from a compromised site, Gamshen delivers injected content—redirects, keyword-stuffed links, or other black-hat SEO material—that artificially boosts the ranking of attacker-controlled gambling domains. Meanwhile, a human visitor using a standard browser sees the site normally, with no visible signs of tampering.

This in-process design makes detection extraordinarily difficult. Because Gamshen runs inside the web server itself, no malicious files need to be written to the site’s public folder. Traditional file-integrity scans, web content audits, and even manual reviews of page source miss the cloaking completely. To catch Gamshen, defenders must explicitly compare HTTP responses fetched with a crawler user-agent against those returned to a regular browser from a trusted location. The module’s registration entries in IIS configuration files and unusual DLLs loaded by w3wp.exe are the most reliable forensic indicators.

ESET researcher Fernando Tavella warns that the reputational damage can be severe. “Even though Gamshen only modifies the response when the request comes from Googlebot… participation in the SEO fraud scheme can hurt the compromised host website’s reputation by associating it with shady SEO techniques, as well as with the boosted websites,” he said. Search engines routinely penalize or delist domains caught serving cloaked content, which erodes organic traffic, brand trust, and, for e-commerce sites, direct revenue. In regulated sectors like healthcare and insurance, the presence of such manipulation may also trigger compliance and breach notification obligations.

Rungan: A Passive C++ Backdoor for Persistent Control

Complementing Gamshen is Rungan, a passive C++ backdoor that offers GhostRedirector’s operators full control over compromised servers. Unlike aggressive implants that beacon constantly, Rungan waits for incoming commands from a remote controller, blending quietly into system processes. Its capabilities include command execution, file upload and download, directory enumeration, Windows service manipulation, and registry key modification. Because it is compiled native code with minimal runtime dependencies, Rungan avoids many signature-based antivirus detections and integrates seamlessly with standard Windows persistence primitives.

The backdoor’s service and registry manipulation features multiply cleanup headaches. Even if defenders identify and delete the Rungan binary, related scheduled tasks, service entries, or registry hooks can survive and allow attackers to restore the implant. In several observed intrusions, operators layered Rungan with multiple web shells and used the Potato family of local privilege escalation tools to gain SYSTEM-level access, ensuring that no single point of failure could sever their foothold.

Attack Chain and Persistence Mechanisms

ESET’s telemetry and subsequent internet-wide scanning reveal a repeatable intrusion pattern that begins with exploitation of a web-facing vulnerability—most likely SQL injection. Once inside, attackers stage web shells and downloaders to establish an initial foothold. They then deploy EfsPotato, BadPotato, or similar tools to escalate to SYSTEM, a move that enables creation of rogue local administrator accounts, installation of malicious services, and registration of the Gamshen IIS module. Throughout this process, the operators sprinkle in multiple remote access methods: the Rungan backdoor, additional web shells, scheduled tasks that fetch and execute payloads, and fallback accounts. This layered resilience means that removing a single artifact rarely cleans the system; comprehensive containment demands a full forensic rebuild.

From a detection standpoint, the most telling signs include:
- Unexpected DLLs in %SystemRoot%\System32\inetsrv or custom module paths.
- Invocations of AppCmd.exe to register new IIS modules outside change windows.
- Divergent HTTP response content when requested with Googlebot or Bingbot user-agents versus Chrome or Firefox from the same IP range.
- Named pipe creation and token impersonation events characteristic of Potato exploits, best captured with Sysmon Event IDs and command-line telemetry.
- Newly minted local administrator accounts or suspicious scheduled tasks running elevated binaries.

Victimology: Targeting Internet-Facing IIS Infrastructure Globally

The map of GhostRedirector victims is geographically diverse but concentrated in Brazil, Thailand, Vietnam, and the United States. ESET notes that many U.S.-hosted servers are actually leased to companies based in the other three countries, suggesting the actor’s true interest lies in Latin America and Southeast Asia. Additional victims appear in Canada, Finland, India, the Netherlands, the Philippines, and Singapore. No single vertical dominates; affected organizations span education, healthcare, insurance, transportation, technology, and retail—implying opportunistic targeting of any exposed IIS surface rather than a focused espionage agenda.

This cross-border hosting pattern carries practical implications. Incident response teams must account for the fact that the hosting country may differ from the victim entity’s primary jurisdiction, complicating legal notifications and coordination with local authorities. Moreover, defenders should treat all internet-facing IIS hosts as critical assets, subjecting them to the same level of hardening, monitoring, and patch discipline as domain controllers or VPN gateways.

Detection and Remediation Playbook

ESET’s research includes specific mitigation guidance that defenders can operationalize immediately. The following steps outline a three-phase response:

Immediate containment (0–24 hours):
- Isolate suspected hosts from the network to halt live abuse and crawler-triggered activity.
- Collect full forensic artifacts: memory dumps of w3wp.exe, copies of applicationHost.config, IIS module lists, event logs, Sysmon logs, and web request logs.
- Preserve evidence and, if possible, avoid rebooting before memory and disk images are captured.

Short-term remediation (24–72 hours):
- Remove unauthorized IIS modules and unknown DLLs from w3wp contexts; document every change.
- Delete web shells, rogue scheduled tasks, and suspicious user accounts. Reset passwords for all local and service accounts that may have been compromised.
- Revoke and rotate certificates, API keys, and any credentials found in logs or configuration files.
- Patch the underlying web application vulnerabilities, prioritizing fixes for SQL injection or other code-execution flaws that enabled initial access.
- Deploy or tune a Web Application Firewall (WAF) to block malicious HTTP requests and log anomalies for further hunts.

Long-term recovery and hardening (weeks):
- Rebuild compromised hosts from trusted golden images. Avoid file-level scrubbing, which misses in-memory implants and subtle persistence mechanisms.
- Enforce least privilege for module registration and administrative tasks. Use just-in-time administrative access and multi-factor authentication for all server admins.
- Maintain immutable backups and offline snapshots to accelerate recovery and validate integrity.
- Harden application code through secure development lifecycle practices, including regular code reviews and penetration testing.
- Deploy system-wide telemetry: enable Sysmon with command-line and named-pipe logging, deploy EDR solutions, and correlate web logs with crawler and client traffic patterns.

Specific detection rules and hunt queries should flag:
- Any unrecognized DLL loaded by w3wp.exe or unusual module names in applicationHost.config.
- HTTP responses that differ between crawler and browser user-agents.
- Sysmon patterns for named pipe creation and token impersonation aligned with Potato exploits.
- AppCmd.exe module registrations outside approved change windows.

Strategic Takeaways for CISOs and Platform Owners

GhostRedirector exemplifies the convergence of cybercrime monetization and advanced persistent threat tactics. The use of a custom, in-process IIS module for cloaking is not a one-off; earlier ESET research on IISerpent demonstrated the same fundamental approach. SEO fraud-as-a-service is profitable, and attackers are willing to invest in bespoke malware that evades conventional defenses. For organizations, the lesson is clear: assume that any internet-facing web server might be targeted for such abuse, and architect detection and response around behavioral anomalies rather than static signatures.

A defense-in-depth model is non-negotiable. WAF, EDR, Sysmon, robust logging, and multi-factor authentication for admin actions together reduce both the likelihood of successful intrusion and the time to detect active compromise. Regularly conduct crawler-aware audits: compare responses seen by Googlebot against those returned to regular users, and automate fuzzing with various user-agents to spot transient manipulations. Finally, given the layered persistence described here, incident response playbooks must default to a full rebuild of compromised hosts, supported by immutable backups and forensic imaging, to guarantee eradication.

ESET’s attribution of GhostRedirector as “very likely China-aligned” is based on tooling, infrastructure overlaps, and TTP similarities—an analytic judgment, not an absolute. Organizations should use such assessments to inform risk posture without conflating alignment with mission or state sponsorship. The most immediate concern remains the operational reality: a skilled, motivated group has demonstrated a scalable method to monetize compromised IIS servers while maintaining resilient access. For Windows and IIS administrators, the call to action is unambiguous: harden, hunt, and prepare to rebuild.