Redazione RHC : 5 September 2025 12:51
A cybercriminal group, dubbed GhostRedirector by ESET researchers and linked to the Chinese ecosystem, has quietly deployed a global search engine manipulation scheme based on hacked Windows hosts. According to telemetry and internet scans from June, at least 65 servers in several countries have been compromised. The first confirmed infections were recorded in December, but a series of related samples indicates activity since at least August 2024, so this is not an epidemic, but a long-term campaign with established roles and infrastructure.
At its core are two specially written components. Rungan is a passive backdoor written in C++ that, once activated, accepts commands on a compromised machine and acts as a silent remote administration mechanism. Gamshen is an Internet Information Services Trojan that modifies web server responses so that Googlebot sees not the original pages, but modified versions useful for third-party gambling domains.
At the search engine level, it appears that legitimate sites link heavily to promoted resources, and ranking algorithms interpret these artificial links as recommendations. As a result, gambling sites’ rankings increase, and the owners of hacked hosts don’t even suspect that their sites are fueling someone else’s SEO scheme.
The attack’s geography shows a clear prevalence in countries in South America and South Asia. The largest number of infected computers was detected in Brazil, Peru, Thailand, Vietnam, and the United States, and the attackers were not limited to a single sector. They targeted educational institutions, medical organizations, insurance companies, transportation companies, technology companies, and retail businesses. This distribution suggests that the selection of victims was not determined by the company’s profile, but by technical signals of vulnerability and the ease of subsequent operation.
According to analysts, the initial entry point is associated with specific SQL injection vulnerabilities. After compromising the web application, the attackers proceeded to the access expansion phase and deployed a chain of loaders and tools on the server. PowerShell control scripts extracted all the necessary components from the same 868id[.]com node, simplifying the logistics of the attack and allowing for quick payload version swapping.
To escape the context of the web process and reach the administrator level, utilities based on public exploits from the Potato family were used, specifically the EfsPotato and BadPotato concepts, which are widely used in the Chinese-speaking criminal segment. Some of the samples were correctly digitally signed: the certificate was issued by the TrustAsia RSA Code Signing CA G3 center to Shenzhen Diyuan Technology. A valid signature increases the reliability of protection mechanisms in executable files and facilitates their launch. After successfully escalating privileges, the work was completed by creating or modifying a local account with inclusion in the administrators group, which ensured stable control and the ability to perform sensitive operations without repeated cyberattacks.
In addition to the final backdoors, the researchers describe two auxiliary modules that provide reconnaissance and control. The Comdai library performs a number of backdoor-level functions: it establishes network interaction with the control party, creates accounts with administrative rights, executes files, obtains directory listings, interferes with the operation of services, and modifies Windows Registry keys. A separate component, Zunput, is responsible for inventorying websites capable of running dynamic content. It monitors site collection activity, collects parameters (the physical path to the web root, site name, IP address, hostname), and then leaves a web shell on the server for further operations.
The final step in the chain is the implementation of a pair of Rungan and Gamshen. The former executes a series of commands on a hacked node and supports remote operational activity without noise in the logs, while the latter transforms a legitimate resource into an invisible seal for search manipulation. Gamshen’s key trick is selective response substitution for Googlebot only, and the insertions are dynamically formed based on data from the C2 control server. This creates artificial backlinks from trusted domains to the desired pages, which move them to the top of the target queries. Judging by the description of the mechanics, a third-party project is taking advantage of this, most likely paying for the cheating service, and GhostRedirector acts as a technical contractor with its own arsenal and access controls.
The picture that emerged from this operation shows how closely criminal SEO practices and traditional server hacking intersect today. On the one hand, targeted exploitation of vulnerabilities, privilege escalation, entrenchment, and control modules; on the other, careful work on content and traffic, based on search engine behavioral signals. Overall, this allows the creation of a network of support links from third-party resources in a short period of time and increases the visibility of promoted sites, leaving virtually no visible traces for the owners of the compromised sites.
Redazione