GhostRedirector Compromises 65 Windows Servers Through Rungan Backdoor and Gamshen IIS Module

Sep 04, 2025
Data Breach / Malware

Cybersecurity experts have uncovered a new threat cluster known as GhostRedirector, which has infiltrated at least 65 Windows servers predominantly located in Brazil, Thailand, and Vietnam. According to Slovak cybersecurity firm ESET, the attacks have resulted in the installation of a passive C++ backdoor named Rungan, alongside a native Internet Information Services (IIS) module referred to as Gamshen. The threat actor is thought to have been active since at least August 2024.

“While Rungan can execute commands on an infected server, Gamshen is designed to facilitate SEO fraud as-a-service, manipulating search engine results to enhance the page ranking of a specified target website,” stated ESET researcher Fernando Tavella in a report shared with The Hacker News. “Notably, Gamshen only alters responses when requests come from Googlebot, ensuring that regular visitors are not impacted.”

GhostRedirector Compromises 65 Windows Servers Through Rungan Backdoor and Gamshen IIS Module

In a recent cybersecurity investigation, researchers from the Slovak firm ESET have uncovered a sophisticated threat cluster known as GhostRedirector, responsible for breaching at least 65 Windows servers, predominantly situated in Brazil, Thailand, and Vietnam. According to ESET, the malicious activity associated with this group has been leading to the installation of a stealthy C++ backdoor named Rungan alongside a specialized Internet Information Services (IIS) module tagged as Gamshen. The origins of the attack trace back to at least August 2024.

The Rungan backdoor serves as a conduit for executing commands on affected servers, while the Gamshen module is engineered for a specific nefarious objective: to provide SEO fraud services. This functionality allows threat actors to manipulate search engine outcomes, artificially inflating the rankings of designated websites, thereby enhancing their visibility on platforms like Google. ESET researcher Fernando Tavella highlighted that Gamshen’s operations are particularly insidious because it modifies server responses exclusively when requests originate from Googlebot, notably leaving standard users unaffected by its decided malfeasance.

The targeting of Windows servers, a staple for many organizations, presents a significant security concern. With a substantial presence in key regions such as Brazil, Thailand, and Vietnam, those regions have become significant vectors for this ongoing campaign. By exploiting the vulnerabilities inherent in these servers, the attackers establish a foothold that allows for sustained interaction and further exploitation.

To strategically analyze the potential tactics employed by GhostRedirector, we can reference the MITRE ATT&CK matrix, which offers a comprehensive framework for understanding adversary behaviors in cyber incidents. Initial access may have been achieved through techniques such as phishing or exploiting software vulnerabilities, which are prevalent in server environments. Once inside, maintaining persistence would likely entail leveraging the Rungan backdoor, enabling the actors to maneuver undetected.

Privilege escalation techniques might have also been crucial, allowing the attackers to gain elevated permissions that facilitate broader control over the compromised systems. Ultimately, the manipulation of search engine results through Gamshen underscores not only the breadth of the attack but also the increasing sophistication of cybercriminals, who now offer services that were once the domain of traditional black-hat hacking.

As businesses continue to navigate an ever-evolving cybersecurity landscape, the emergence of GhostRedirector serves as a stark reminder of the complexity and peril associated with cyber threats. Organizations should remain vigilant, ensuring that their IT infrastructures adhere to the latest security protocols to guard against similar attacks that exploit known vulnerabilities and employ advanced tactics to compromise systems. Adopting a proactive stance is critical for safeguarding sensitive data and maintaining operational integrity in the face of these evolving threats.

Source link

Related Posts

SAP S/4HANA Suffers Active Exploitation of Critical Vulnerability CVE-2025-42957

Sep 05, 2025
Vulnerability / Enterprise Security

A serious security flaw in SAP S/4HANA, a popular Enterprise Resource Planning (ERP) system, is currently being exploited in the wild. This command injection vulnerability, designated as CVE-2025-42957 and given a CVSS score of 9.9, was recently addressed by SAP in its monthly updates. According to the NIST National Vulnerability Database (NVD), “SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC.” This flaw allows for the injection of arbitrary ABAP code into the system, bypassing critical authorization checks. A successful attack could compromise the entire SAP environment, threatening the confidentiality, integrity, and availability of the system. Attackers could manipulate the SAP database, create superuser accounts with SAP_ALL privileges, extract password hashes, and disrupt business processes.

TAG-150 Develops CastleRAT in Python and C, Enhancing CastleLoader Malware Operations

September 05, 2025
Botnet / Malware

The threat actor behind the malware-as-a-service (MaaS) framework and loader known as CastleLoader has introduced a remote access trojan, CastleRAT. Available in both Python and C versions, CastleRAT primarily functions to collect system information, download and execute additional payloads, and run commands via CMD and PowerShell, according to Recorded Future’s Insikt Group. The cybersecurity firm is monitoring the malicious activities attributed to TAG-150, which is believed to have been operational since at least March 2025. CastleLoader and its variants serve as initial access points for various secondary payloads, including other remote access trojans, information stealers, and additional loaders. CastleLoader (also referred to as CastleBot) was first reported by Swiss cybersecurity firm PRODAFT in July 2025, highlighting its use in campaigns distributing DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader. Further analysis…

CISA Urges Immediate Patching of Critical Sitecore Vulnerability Under Active Attack

September 5, 2025
Vulnerability / Threat Intelligence

Federal Civilian Executive Branch (FCEB) agencies are directed to update their Sitecore systems by September 25, 2025, due to a critical security vulnerability, identified as CVE-2025-53690, that is currently being exploited. The vulnerability has a CVSS score of 9.0 out of 10, highlighting its severity. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), this flaw affects Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud, allowing for deserialization of untrusted data through default machine keys. This presents an opportunity for attackers to execute remote code by exploiting exposed ASP.NET machine keys. Mandiant, a Google-owned cybersecurity firm, reported that the ongoing ViewState deserialization attacks utilized a sample machine key found in Sitecore deployment guides from 2017 and earlier. The threat intelligence team…

“Noisy Bear Campaign Disguised as Phishing Test Revealed Targeting Kazakhstan’s Energy Sector”

Sep 06, 2025 – Malware / Cyber Espionage

A suspected Russian threat actor is behind a series of attacks aimed at Kazakhstan’s energy sector, identified as Operation BarrelFire by Seqrite Labs, which tracks the group as Noisy Bear. Active since at least April 2025, the campaign specifically targets employees of KazMunaiGas (KMG). The attackers delivered a counterfeit document purporting to be from the KMG IT department, mimicking legitimate internal communications and addressing topics like policy updates, certification processes, and salary adjustments. According to security researcher Subhajeet Singha, the infection process starts with a phishing email containing a ZIP file that includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions in both Russian and Kazakh to execute a program named “KazMunayGaz_Viewer.”