ESET researchers have identified a new threat actor, GhostRedirector, targeting Windows servers with custom tools. The group has compromised at least 65 servers, mainly in Brazil, Thailand, and Vietnam, across various sectors. Their arsenal includes Rungan, a passive C++ backdoor, and Gamshen, a malicious IIS module for SEO fraud. GhostRedirector also uses public exploits for privilege escalation and creates rogue user accounts to maintain access. The attacks aim to manipulate Google search results, promoting gambling websites through shady SEO techniques. Evidence suggests GhostRedirector is a China-aligned actor, active since at least August 2024. The campaign demonstrates sophisticated tactics for server compromise and long-term access maintenance. Author: AlienVault
Related Tags:
Comdai
Zunput
Gamshen
Rungan
china-aligned
windows servers
iis module
privilege escalation
Insurance
Associated Indicators:
049C343A9DAAF3A93756562ED73375082192F5A8
5A01981D3F31AF47614E51E6C216BED70D921D60
21E877AB2430B72E3DB12881D878F78E0989BB7F
BE2AC4A5156DBD9FFA7A9F053F8FA4AF5885BE3C
28140A5A29EBA098BC6215DDAC8E56EACBB29B69
EE22BA5453ED577F8664CA390EB311D067E47786
030201090405060708090A0B0C0D0E0F
868id.com
https://xzs.868id.com/link.exe