Security researchers have discovered that a Chinese hacker group has taken over dozens of Windows servers to artificially boost the rankings of dubious gambling sites on Google. The operation was named GhostRedirector and began in late 2024.
According to researchers at ESET, at least 65 servers were affected. Most of the attacks took place in South America and South Asia, particularly in Brazil, Peru, Thailand and Vietnam. Infected servers were also found in the United States, but the focus there was less intense.
Group uses new malware Rungan and Gamshen
After infiltrating a server, the hackers installed various tools. These included two new pieces of malware: Rungan and Gamshen.
Rungan works as a classic backdoor, allowing hackers to maintain access to the system. Gamshen was developed to manipulate search results. The programme runs directly in the Windows web server and only modifies responses received by Googlebot. Nothing changes for regular visitors, which means the attack can go unnoticed for a long time.
The aim is to push gambling sites up in Google
The aim of the operation is to inject backlinks and SEO texts. The hackers want to use these to give gambling sites a higher ranking in Google search results.
The danger is that victims often only notice the attack when their own positions in Google suddenly plummet or when Google issues a warning. By then, the damage is often already extensive.
Attacks affect multiple sectors simultaneously
ESET reports that the attacks were not targeted at a single industry. Victims include educational institutions, healthcare organisations, insurers, transport companies, technology companies and shops.
The attacks probably started with an SQL injection. The hackers then used PowerShell to download additional programmes that gave them more rights in Windows. In the final phase, they installed Rungan and Gamshen.Researchers such as Frank Kruit warn that these types of attacks are becoming more common and that companies need to be alert to unusual shifts in their search results.