A recent finding of ESET Research has uncovered the activity of a group of cybercriminals that researchers have baptized as Ghostredirector. Since June 2025, this actor has committed at least 65 Windows servers in different countries, with special incidence in Brazil, Thailand, Vietnam and the United States. The attack also extended to Canada, Finland, India, the Netherlands, the Philippines and Singapore.
The operation stands out for the combination of digital espionage and web positioning in Google, with a clear objective: divert traffic to online betting pages through fraudulent SEO techniques.
Unpublished tools for global fraud
GHOSTREDIRECTOR used two pieces of malware never seen so far. The first is Rungana passive back door on C ++ designed to execute commands on compromised servers. The second, GamShenis a malicious module for Internet Information Services (IIS) that selectively modifies the responses of infected servers.
GamShen’s striking is that only the content alters when the application comes from Googlebot, that is, the Google tracker. Thus he manages to manipulate the search results without the usual visitors perceiving any change.
“Participating in a Seo fraud scheme can seriously damage the reputation of the site, associating it with illegal techniques and unreliable pages,” explains Fernando Tavella, an ESET researcher who led the discovery.
Victims are mainly located in Brazil, Thailand, Vietnam and the United States, although cases in Europe have also been identified
Intrusion tactics and scope of attacks
In addition to these unpublished tools, the group has supported already known exploits, such as Effotate and Badpotatoto create privileged accounts within the servers and ensure prolonged access. According to ESET telemetry, the most likely initial vector was an SQL injection.
The victims belong to very diverse sectors, from education and health to transport, technology, insurance or retail trade, indicating that the attackers were not focused on a specific industry. Most of the affected servers in the United States would have been rented to companies based in Brazil, Thailand and Vietnam, confirming greater interest in Latin America and Southeast Asia.
Persistence and resilience of the attack
Once inside the infrastructure, Ghostredirector displays several tools to maintain control. They include Webshells, privilege escalation mechanisms and the creation of false user accounts. With this, the group ensures persistence even if any of its rear doors is eliminated.
“Ghostredirector shows a remarkable operational resilience by using different remote access roads, which allows you to survive attempts to clean and maintain activity in infected systems,” adds Tavella.
Documented attacks began in December 2024 and extended until April 2025, although new cases were detected in June thanks to a global scan. ESET notified all those affected and made public measures of mitigation in a technical report.
