Dozens of Windows servers have been hijacked by a Chinese hacking group to boost Google’s rankings for shady gambling websites, experts have found.
Security researchers ESET have outlined the work called GhostRedirector, which started targeting Windows servers in December 2024, ultimately compromising at least 65 of them. After breaking into a server, they would deploy a variety of tools, including two brand new pieces of malware, called Rungan and Gamshen.
Rungan is a classic backdoor, while Gamshen is the one doing the search engine rank boosting. ESET describes it as a malicious Internet Information Services (ISS) trojan, which isn’t malware in the traditional sense, but rather a malicious native ISS module that runs directly within a Windows web server, selectively modifying HTTP responses, but only for Google’s web crawler, Googlebot.
