GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes www.welivesecurity.com/en/eset-r…

ESET researchers have identified a new threat actor targeting Windows servers with a passive C++ backdoor and a malicious IIS module that manipulates Google search results.

• We observed at least 65 Windows servers compromised in June 2025.
• Victims are mainly located in Brazil, Thailand, and Vietnam.
• Victims are not related to one specific sector but to a variety such as insurance, healthcare, retail, transportation, technology, and education.
• GhostRedirector has developed a new C++ backdoor, Rungan, capable of executing commands on the victim’s server.
• GhostRedirector has developed a malicious native IIS module, Gamshen, that can perform SEO fraud; we believe its purpose is to artificially promote various gambling websites.
• GhostRedirector relies on public exploits such as BadPotato or EfsPotato for privilege escalation on compromised servers.
• Based on various factors, we conclude with medium confidence that a previously unknown, China-aligned threat actor was behind these attacks. We have named it GhostRedirector.