"ESET Research has discovered a new Chinese hacker group. The group, dubbed "GhostRedirector," has already compromised 65 Windows servers with unique malware. So far, Europe has been spared. GhostRedirector targets companies in America and Southeast Asia and uses advanced backdoors to maintain access. GhostRedirector shows remarkable determination by implementing multiple access methods. In addition to their own tools, they use publicly known exploits such as EfsPotato and BadPotato to create privileged user accounts."
"The attackers use two custom-made tools: Rungan, a passive C++ backdoor, and Gamshen, a malicious Internet Information Services (IIS) module. The latter has a remarkable feature: it performs SEO fraud by manipulating Google search engine results. Ongoing campaign since December ESET's telemetry shows that GhostRedirector was active between December 2024 and April 2025. An internet scan in June revealed even more victims."
A Chinese hacker group named GhostRedirector compromised at least 65 Windows servers across Brazil, Thailand, Vietnam, and the United States, with additional victims discovered in June. The group targets organizations across multiple sectors including education, healthcare, insurance, transportation, technology, and retail. Attackers deploy two custom tools — Rungan, a passive C++ backdoor, and Gamshen, a malicious IIS module that manipulates Google search results for SEO fraud. GhostRedirector maintains persistence through multiple remote access tools, fake privileged accounts, and by abusing public exploits such as EfsPotato and BadPotato as backups.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]