GhostRedirector: IIS Backdoor and SEO Fraud with Rungan & Gamshen

A compact but sophisticated campaign tracked as GhostRedirector has infected at least 65 Internet‑facing Windows IIS servers and paired a stealthy native backdoor with an in‑process IIS module to run a covert, profitable SEO fraud operation that pushes third‑party gambling sites while leaving normal visitors unaffected.

Background / Overview​

ESET Research disclosed the GhostRedirector campaign after telemetry and an internet‑wide scan found evidence of widespread compromise across multiple regions and sectors. The firm ties the operation to a previously unseen set of tools — a C/C++ backdoor named Rungan and a native IIS module called Gamshen — and describes a multi‑stage intrusion chain using web shells, public privilege‑escalation exploits, and multiple persistence mechanisms.
Victims number at least 65 confirmed IIS hosts (ESET’s count is explicitly framed as a conservative minimum), with geographic concentration in Brazil, Thailand, Vietnam and additional compromises in Peru, the United States and other countries. Affected organizations span education, healthcare, insurance, retail, transportation, technology and more — a pattern consistent with opportunistic scanning and exploitation of internet‑visible IIS stacks rather than narrowly targeted verticals.
ESET assesses the actor is very likely China‑aligned with medium confidence, based on build artifacts, code signing certificates, language strings and reuse of tooling patterns. That attribution is explicitly probabilistic and should be treated as an analytic judgment rather than an incontrovertible fact.

---

What GhostRedirector does: technical summary​

Rungan — the native backdoor​

• Nature and deployment: Rungan is a compiled C/C++ implant observed deployed as miniscreen.dll under C:\ProgramData\Microsoft\DRM\log. It is designed to run natively (no .NET dependencies) and can be loaded or executed in multiple ways, including as a service or via standalone listeners.
• Capabilities:
• Remote command execution and arbitrary file operations.
• Creation of local privileged accounts.
• Manipulation of Windows Services and registry keys for persistence.
• Registration of HTTP listeners using the Windows HTTP Server API to accept passive, targeted commands instead of aggressive beaconing.
• Stealth posture: Rungan uses encrypted embedded configuration (AES‑CBC observed) and deliberately adopts a passive command intake model to reduce network detection signals. Because it can register its own HTTP listeners independent of IIS, standard web content audits may miss it.

Gamshen — the IIS module that manipulates search engines​

• Nature and deployment: Gamshen is a native IIS module (a DLL loaded into w3wp.exe) that hooks into IIS request/response pipeline events to inspect requests and selectively alter responses. Observed module names include ManagedEngine64_v2.dll and ManagedEngine32_v2.dll in some compromises.
• Primary function: Gamshen detects search‑engine crawlers (via User‑Agent strings and possibly IP ranges) and serves crawler‑specific content — cloaked redirects or injected backlink/doorway lists — solely to search engines like Googlebot, while regular human visitors see the legitimate, unaltered site. This crawler‑only manipulation lets attackers leech domain trust to boost third‑party targets (observed beneficiaries: gambling domains).
• Operational mechanics: The module can:
• Intercept OnBeginRequest and OnSendResponse events to swap or inject content.
• Decode payloads or fallback to remote C2 endpoints to fetch crawler‑tailored content; if the remote returns errors, it can redirect crawlers to fallback pages.
• Why it’s effective: Native IIS modules run inside the worker process and see every HTTP transaction, enabling highly stealthy cloaking that file scans and casual audits are unlikely to detect. Since the injected content is not persisted to disk but generated dynamically, many detection pipelines miss the behavior entirely.

---

Attack chain and tools used​

ESET’s analysis documents a classic multi‑stage campaign with a modern twist: the actors combine commodity tactics with bespoke implants for monetization.

• Initial access: exploitation of web‑facing vulnerabilities (SQL injection and similar vectors are likely initial entry points).
• Post‑compromise: deployment of web shells and downloaders to stage payloads.
• Privilege escalation: heavy reuse of the “Potato” family (EfsPotato, BadPotato and relatives) to escalate to SYSTEM and obtain the privileges required to register IIS modules or change ServiceDLL entries.
• Persistence: multiple redundant persistence mechanisms — Rungan backdoor, Gamshen IIS module, rogue local accounts, and registry/service manipulations — to survive partial cleanup.
• Operational use: Gamshen converts compromised servers into doorway pages and link farms that are only visible to search crawlers, selling ranking boosts to third‑party gambling operators (an SEO fraud‑as‑a‑service model).

Cisco Talos reported a comparable campaign (DragonRank) that also abused IIS modules for SEO fraud, illustrating the broader industry trend: server‑side cloaking and SEO manipulation have matured into a monetizable criminal model. The parallels reinforce the operational pattern ESET sees, even while vendor analyses differ on attribution and specific tooling.

---

Why this matters for Windows and IIS administrators​

Attackers are weaponizing site reputation as infrastructure. The immediate technical risk is remote control of a server; the wider business risk is long‑term brand and SEO damage.

• Invisible reputation theft: By serving different content to crawlers, attackers can borrow a trusted domain’s authority to rank gambling pages higher in search results. That association — even if invisible to customers — can trigger search‑engine penalties, domain de‑ranking, or delisting, with expensive, time‑consuming recovery.
• Resilient persistence: The combination of native in‑process modules and multiple fallback persistence mechanisms (local accounts, services, listener implants) increases cleanup complexity and the risk that a compromised host will be re‑reused.
• Detection blind spots: Dynamic, crawler‑specific behavior and in‑process manipulation mean that conventional file‑integrity and static‑signature approaches are insufficient. Behavioral telemetry and configuration hunts are required.

---

Immediate detection and remediation checklist​

The following prioritized steps reflect ESET’s recommendations and established IIS incident response best practices.

• Run an expedited hunt for unexpected IIS native modules:
• Use appcmd list modules and IIS Manager to enumerate modules; check applicationHost.config for unexpected entries. Look for module names and DLL paths that don’t match known deployments.
• Search for known indicator filenames and artifacts:
• Examples observed in this campaign: miniscreen.dll (Rungan), ManagedEngine64_v2.dll / ManagedEngine32_v2.dll (Gamshen), link.exe (GoToHTTP helper). Search filesystem, scheduled tasks, ServiceDLL registry values, and ProgramData paths.
• Compare responses for crawler vs human user agents:
• Reproduce requests as Googlebot and as a normal browser from trusted IP ranges; differences in content, redirects, or injected backlinks are strong indicators of cloaking.
• Inspect for named pipes and token‑abuse telemetry:
• Sysmon/EDR rules should capture CreateProcessWithToken, CreateProcessAsUser, token impersonation, and named pipe usage — behavior linked to Potato LPE exploitation.
• Audit local user accounts and recent administrative changes:
• Look for recently created accounts (e.g., MysqlServiceEx, Admin) and anomalous service DLL modifications. Revoke or change credentials where compromise is suspected.
• Contain and rebuild when compromise is confirmed:
• Given the resilience patterns (multiple backdoors and persistent modules), containment should include network isolation and full rebuild from known‑good images after evidence capture for forensics. Partial removals risk residual access.

---

Hardening and long‑term mitigations​

• Harden IIS configuration and remove unnecessary modules; apply the principle of least privilege to service accounts.
• Patch and remediate web application vulnerabilities (SQL injection and unsanitized input remain common initial vectors).
• Enforce logging that captures named‑pipe and token usage, enable Sysmon with the recommended configuration, and deploy EDR that detects in‑process module loads and anomalous listeners.
• Apply strong code‑signing verification for inbound binaries and monitor for unrecognized certificates used on executables; ESET observed legitimate code‑signing certificates abused in the campaign.
• Treat SEO integrity as part of operational security: monitor search result anomalies for brand keywords and backlink profiles, and coordinate with SEO specialists when suspect behavior is found.

---

Operational analysis and critical appraisal​

Notable strengths of the attackers’ approach​

• Low noise, high survivability: The passive Rungan implant and in‑process Gamshen module combine to produce minimal outward signs for end users while enabling long‑term monetization. Dynamic content injection avoids file‑system artifacts and keeps ordinary audits blind to the abuse.
• Modular redundancy: Multiple persistence vectors (services, account creation, native modules, web shells) create operational resilience; defenders who remove a single component may still leave alternative footholds.
• Monetizable model: SEO fraud is a durable criminal market. Server‑side cloaking scales: one compromised IIS estate can serve as a long‑term infrastructure asset to sell ranking boosts for gambling and other high‑value verticals.

Risks, limitations and why defenders should be cautious​

• Attribution uncertainty: ESET’s medium‑confidence assessment that the actor is China‑aligned rests on telemetry and tooling overlaps (PDB paths, language artifacts, code‑signing certificate provenance). Attribution in cyberspace is inherently probabilistic; treat geopolitical conclusions with caution and prioritize technical remediation.
• Visibility gap: The confirmed figure of “at least 65” hosts is a floor, not a ceiling; many compromised servers will remain undetected without proactive hunting because standard site audits and signature‑based scans miss transient crawler‑only content.
• Potential for escalation beyond SEO: Although observed usage centers on gambling SEO, compromised IIS estates with native backdoors can be repurposed for data theft, distribution of further malware, staging for lateral movement, or as C2 infrastructure — meaning initial SEO monetization can become a broader operational risk.

---

Detection playbook: prioritized hunting queries and rules​

• Enumerate IIS native modules and compare against known baselines: appcmd list modules; check applicationHost.config for unexpected ManagedEngine* entries.
• Search for these artifact names and paths:
• miniscreen.dll under C:\ProgramData\Microsoft\DRM\log (Rungan).
• ManagedEngine64_v2.dll / ManagedEngine32_v2.dll (Gamshen).
• link.exe and any unusual binaries in ProgramData or inetsrv directories.
• Automated tests: issue parallel requests with Googlebot and Chrome user agents; flag any differences in response bodies, redirect targets, or injected link lists.
• EDR/Sysmon rules: monitor for token reflection/impersonation, CreateProcessWithToken, named pipe creation, and unexpected HTTP Server API listener registrations.

---

Executive summary and recommended actions (for CISOs and IT leaders)​

• Treat this not only as a technical malware incident but as a brand and SEO incident: compromised servers can silently damage search visibility and reputation.
• Prioritize an incident response hunt across all internet‑facing IIS hosts and hosting tenants. Assume the “at least 65” number is conservative and hunt broadly.
• If compromise is confirmed, prepare for full rebuilds rather than surgical removals; the layered persistence model often defeats partial remediation.
• Coordinate technical remediation with legal, compliance, hosting providers and, where applicable, SEO specialists to mitigate downstream business impact.

---

Final assessment​

GhostRedirector illustrates a pragmatic evolution in criminal infrastructure: combining durable access with a stealthy, monetizable abuse model that weaponizes reputation. For Windows and IIS administrators, the campaign highlights three enduring priorities: harden exposed web apps, deploy behavioral telemetry that catches token abuse and unexpected in‑process modules, and treat search‑engine cloaking as an operational security threat that demands cross‑functional response. Immediate hunting for unauthorized IIS modules and crawler‑specific anomalies is the single highest‑impact action defenders can take; if evidence of compromise exists, plan for containment and full rebuilds to eradicate layered persistence.
Caution: attribution and the full scope of victims remain uncertain. ESET’s disclosure is a robust technical starting point but should be supplemented with local telemetry and coordinated IR to determine impact per environment.

---

By treating SEO integrity as part of infrastructure security and adopting the detection hunts outlined above, organizations can reduce the window of dwell for cloaking implants like Gamshen and limit the operational value of backdoors like Rungan to attackers.

---

Source: The Record from Recorded Future News 'SEO fraud-as-a-service' scheme hijacks Windows servers to promote gambling websites