VERY IMPORTANT

ESET researchers have identified a new threat actor, GhostRedirector, targeting Windows servers with custom tools. The group has compromised at least 65 servers, mainly in Brazil, Thailand, and Vietnam, across various sectors. Their arsenal includes Rungan, a passive C++ backdoor, and Gamshen, a malicious IIS module for SEO fraud. GhostRedirector also uses public exploits for privilege escalation and creates rogue user accounts to maintain access. The attacks aim to manipulate Google search results, promoting gambling websites through shady SEO techniques. Evidence suggests GhostRedirector is a China-aligned actor, active since at least August 2024. The campaign demonstrates sophisticated tactics for server compromise and long-term access maintenance.