Ethical Hacking News
GhostRedirector: A Sophisticated China-Linked Malware Exploiting SQL Injection Flaws to Launch SEO Fraud Schemes
A recent discovery by cybersecurity researchers has uncovered a sophisticated malware, GhostRedirector, which is believed to be linked to China-based threat actors. The malware compromises at least 65 Windows servers, exploiting an SQL injection vulnerability to gain initial access, and provides SEO fraud as-a-service by manipulating search engine results. With its sophisticated tools and operational resilience, GhostRedirector poses a significant threat to organizations, highlighting the ongoing efforts of China-linked threat actors in exploiting vulnerabilities for malicious purposes.
Cybersecurity researchers have discovered a malware called GhostRedirector linked to China-based threat actors. The malware compromises at least 65 Windows servers in Brazil, Thailand, and Vietnam via SQL injection vulnerability. GhostRedirector provides SEO fraud as-a-service by manipulating search engine results for a configured target website. The malware includes tools like GoToHTTP, BadPotato, and Zunput to establish remote connections and collect information. The researchers believe GhostRedirector is linked to China-aligned threat actors due to coding indicators and certificate evidence. GhostRedirector demonstrates persistence and operational resilience with multiple remote access tools and rogue user accounts.
Cybersecurity researchers have recently uncovered a sophisticated malware known as GhostRedirector, which has been linked to China-based threat actors. The malware is designed to compromise at least 65 Windows servers located in Brazil, Thailand, and Vietnam, exploiting an SQL injection vulnerability to gain initial access to the networks.
Once inside the compromised network, GhostRedirector deploys a passive C++ backdoor called Rungan, which can execute commands on the server. However, its primary function is to provide SEO fraud as-a-service, manipulating search engine results to boost the page ranking of a configured target website. The malware achieves this by creating artificial backlinks from the legitimate compromised website to the target website, potentially redirecting unsuspecting users to gambling websites.
Furthermore, GhostRedirector also includes additional tools such as GoToHTTP, BadPotato, and Zunput. These tools enable the threat actors to establish remote connections, create privileged users, and collect information about websites hosted on the IIS server, respectively.
The researchers believe that GhostRedirector is a China-aligned threat actor based on several indicators, including hard-coded Chinese strings in the source code, a code-signing certificate issued to a Chinese company, and the use of the password "huang" for one of the GhostRedirector-created users on the compromised server. However, it's worth noting that this malware is not the first instance of China-linked threat actors using malicious IIS modules for SEO fraud.
In recent times, both Cisco Talos and Trend Micro have detailed a Chinese-speaking group known as DragonRank, which has engaged in SEO manipulation via BadIIS malware. The GhostRedirector malware shares similarities with these previously documented threats, highlighting the ongoing efforts of China-linked threat actors to exploit vulnerabilities in IIS modules for malicious purposes.
The researchers observed that GhostRedirector demonstrates persistence and operational resilience by deploying multiple remote access tools on the compromised server, as well as creating rogue user accounts. This is a testament to the malware's ability to maintain long-term access to the compromised infrastructure, making it difficult to detect and eradicate.
In conclusion, the discovery of GhostRedirector highlights the ongoing threat landscape in the cybersecurity world. As researchers continue to uncover new vulnerabilities and exploit them for malicious purposes, it is essential for organizations to prioritize network security and implement robust measures to protect themselves against such threats.
Summary:
GhostRedirector is a China-linked malware that has compromised at least 65 Windows servers, exploiting SQL injection flaws to gain initial access. The malware provides SEO fraud as-a-service by manipulating search engine results, potentially redirecting unsuspecting users to gambling websites. With its sophisticated tools and operational resilience, GhostRedirector poses a significant threat to organizations and highlights the ongoing efforts of China-linked threat actors in exploiting vulnerabilities for malicious purposes.
Related Information:
https://www.ethicalhackingnews.com/articles/GhostRedirector-A-Sophisticated-China-Linked-Malware-Exploiting-SQL-Injection-Flaws-to-Launch-SEO-Fraud-Schemes-ehn.shtml
https://thehackernews.com/2025/09/ghostredirector-hacks-65-windows.html
Published: Thu Sep 4 14:58:25 2025 by llama3.2 3B Q4_K_M
