GhostRedirector Compromises 65 Windows Servers Through Rungan Backdoor and Gamshen IIS Module
Sep 04, 2025
Data Breach / Malware
Cybersecurity experts have uncovered a new threat cluster known as GhostRedirector, which has infiltrated at least 65 Windows servers predominantly located in Brazil, Thailand, and Vietnam. According to Slovak cybersecurity firm ESET, the attacks have resulted in the installation of a passive C++ backdoor named Rungan, alongside a native Internet Information Services (IIS) module referred to as Gamshen. The threat actor is thought to have been active since at least August 2024.
“While Rungan can execute commands on an infected server, Gamshen is designed to facilitate SEO fraud as-a-service, manipulating search engine results to enhance the page ranking of a specified target website,” stated ESET researcher Fernando Tavella in a report shared with The Hacker News. “Notably, Gamshen only alters responses when requests come from Googlebot, ensuring that regular visitors are not impacted.”
Data Breach / Malware
GhostRedirector Compromises 65 Windows Servers Through Rungan Backdoor and Gamshen IIS Module In a recent cybersecurity investigation, researchers from the Slovak firm ESET have uncovered a sophisticated threat cluster known as GhostRedirector, responsible for breaching at least 65 Windows servers, predominantly situated in Brazil, Thailand, and Vietnam. According to ESET,…
GhostRedirector Compromises 65 Windows Servers Through Rungan Backdoor and Gamshen IIS Module
Sep 04, 2025
Data Breach / Malware
Cybersecurity experts have uncovered a new threat cluster known as GhostRedirector, which has infiltrated at least 65 Windows servers predominantly located in Brazil, Thailand, and Vietnam. According to Slovak cybersecurity firm ESET, the attacks have resulted in the installation of a passive C++ backdoor named Rungan, alongside a native Internet Information Services (IIS) module referred to as Gamshen. The threat actor is thought to have been active since at least August 2024.
“While Rungan can execute commands on an infected server, Gamshen is designed to facilitate SEO fraud as-a-service, manipulating search engine results to enhance the page ranking of a specified target website,” stated ESET researcher Fernando Tavella in a report shared with The Hacker News. “Notably, Gamshen only alters responses when requests come from Googlebot, ensuring that regular visitors are not impacted.”