Ethical Hacking News
A new China-aligned cybercrime crew, known as GhostRedirector, has been identified, compromising at least 65 Windows servers worldwide using custom malware to manipulate Google search results for SEO fraud. The crew's tactics are sophisticated, involving the use of previously undocumented malware and exploiting public exploits.
The GhostRedirector crew is a China-aligned group involved in cybercrime. The crew uses custom malware tools, including Rungan and Gamshen, to manipulate Google search results for SEO fraud. The operation boosts gambling sites' rankings by modifying responses only for Googlebot, benefiting a third-party site. The crew's tactics involve the use of PowerShell, Windows privilege escalation tools, and custom libraries such as Comdai. The targets include victims in South America and South Asia, using exploits popular among Chinese-speaking hackers.
The internet is a vast and complex tapestry, woven from threads of code, data, and deception. In this digital realm, a new player has emerged, cloaked in the shadows of cybercrime. The GhostRedirector crew, a China-aligned group, has been making headlines with its cunning exploits, leaving a trail of compromised servers, manipulated search results, and unwitting victims in its wake.
According to ESET researchers, the GhostRedirector crew began its campaign in December, using previously undocumented malware to juice gambling sites' rankings in Google search. This malicious operation involves custom tools, including two never-seen-before pieces of malware dubbed Rungan and Gamshen, which manipulate Google search results for Search Engine Optimization (SEO) fraud.
Rungan, a passive C++ backdoor, executes a series of commands on compromised servers, while Gamshen enables SEO fraud as-a-service. This operation appears to boost gambling sites' rankings by modifying responses only for Googlebot, benefiting a third-party site that's potentially a paying client. The response is modified based on data requested dynamically from Gamshen's C&C server, which allows the attackers to manipulate the search ranking of specific websites.
The GhostRedirector crew's tactics are sophisticated and well-coordinated, involving the use of PowerShell to download Windows privilege escalation tools, droppers, and the two final payloads. These tools create or modify a user account on compromised servers, adding it to the administrators group, ensuring the attackers can continue to execute privileged operations on the infected machine.
The crew's malware also includes custom libraries, such as Comdai, which perform backdoor-like capabilities, including network communication, admin-user creation, file execution, directory listing, and manipulating services and Windows registry keys. Additionally, they use another custom website information collector and dropper named Zunput, which checks for active websites capable of executing dynamic content and collects information about them.
The GhostRedirector crew's targets are not limited to specific sectors or industries; instead, they seem to have been interested in targeting victims in South America and South Asia. The crew's tools are based on public EfsPotato and BadPotato exploits, popular among Chinese-speaking hackers, and some samples were validly signed with a code-signing certificate issued by TrustAsia RSA Code Signing CA G3.
This latest development serves as a stark reminder of the ever-evolving nature of cybercrime and the need for vigilance in the face of emerging threats. As cybersecurity awareness continues to grow, so too must our efforts to stay one step ahead of these cunning attackers.
In conclusion, the GhostRedirector crew's exploits represent a new front in the ongoing battle against cybercrime. Their sophisticated tactics and use of custom malware tools make them a formidable opponent, highlighting the need for robust security measures and constant vigilance in the digital landscape.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Shadow-Over-the-Web-The-GhostRedirector-Cybercrime-Crews-Scheming-for-SEO-Fraud-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/09/04/new_chinaaligned_crew_poisons_windows_servers/
Published: Thu Sep 4 16:17:27 2025 by llama3.2 3B Q4_K_M
