Windows servers hijacked to boost Google rankings for dodgy gambling sites

Chinese group GhostRedirector hijacked at least 65 Windows servers to boost shady gambling sites’ Google rankings
They used two new tools – Rungan and Gamshen
Attacks hit servers mainly in Latin America and South Asia, likely via SQL injection, across multiple industries

Dozens of Windows servers have been hijacked by a Chinese hacking group to boost Google’s rankings for shady gambling websites, experts have found.

Security researchers ESET have outlined the work called GhostRedirector, which started targeting Windows servers in December 2024, ultimately compromising at least 65 of them. After breaking into a server, they would deploy a variety of tools, including two brand new pieces of malware, called Rungan and Gamshen.

Rungan is a classic backdoor, while Gamshen is the one doing the search engine rank boosting. ESET describes it as a malicious Internet Information Services (ISS) trojan, which isn’t malware in the traditional sense, but rather a malicious native ISS module that runs directly within a Windows web server, selectively modifying HTTP responses, but only for Google’s web crawler, Googlebot.

South America and South Asia targeted

The goal is to inject either backlinks or SEO content designed to artificially boost the gambling sites in Google search rankings.

What makes this trojan particularly stealthy is the fact that regular visitors are unaffected, and victim sites will only spot the intrusion after their SEO rankings plummet, or Google flags the site for suspicious behavior.

The majority of the infected servers were located in Latin America and South Asia – Brazil, Peru, Thailand, and Vietnam. Compromised servers were also discovered in the United States, but ESET believes the threat actors were primarily targeting South American and South Asian servers.

The hackers also don’t seem to be targeting any particular industry, since the attacks were seen in education, healthcare, insurance, transportation, technology, and retail verticals.

Initial access was probably achieved by exploiting an SQL injection bug, ESET concluded. From there, they deployed PowerShell to download Windows privilege escalation tools and droppers. From there, they dropped Rungan and Gamshen for the final stage of the attack.