ESET researchers have identified a new threat actor, GhostRedirector, targeting Windows servers with custom tools. The group has compromised at least 65 servers, mainly in Brazil, Thailand, and Vietnam, across various sectors. Their arsenal includes Rungan, a passive C++ backdoor, and Gamshen, a malicious IIS module for SEO fraud. GhostRedirector also uses public exploits for privilege escalation and creates rogue user accounts to maintain access. The attacks aim to manipulate Google search results, promoting gambling websites through shady SEO techniques. Evidence suggests GhostRedirector is a China-aligned actor, active since at least August 2024. The campaign demonstrates sophisticated tactics for server compromise and long-term access maintenance. Author: AlienVault
Related Tags:
Comdai
Zunput
Gamshen
Rungan
china-aligned
windows servers
iis module
privilege escalation
Insurance
Associated Indicators:
21E877AB2430B72E3DB12881D878F78E0989BB7F
BE2AC4A5156DBD9FFA7A9F053F8FA4AF5885BE3C
030201090405060708090A0B0C0D0E0F
https://xzs.868id.com/link.exe
http://gobr.868id.com/tz.php
https://www.cs01.shop
https://xzs.868id.com/iis/IISAgentDLL.dll
https://brproxy.868id.com/url/index_base64.php
http://xz.868id.com/EfsPotato_sign.exe