Recent research from Imperva Threat Research has uncovered a sophisticated cyber campaign targeting Indonesian web infrastructure, particularly PHP-based applications and Moodle LMS platforms. The campaign, which emerged amid Indonesia’s crackdown on illegal online gambling, involves Python-based bots deploying the GSocket networking toolkit through existing webshells. These compromised servers are then repurposed to host gambling-related content, using sophisticated SEO manipulation and bot detection to redirect genuine users to active gambling sites while maintaining visibility in search results. This technique allows operators to rapidly adapt to enforcement actions by switching between domains, highlighting the evolving challenges in combating cyber threats in regulated markets. The investigation revealed over 3 million malicious requests, demonstrating the campaign’s significant scale and the importance of proactive security measures in protecting web infrastructure.