Prevent undetectable malware and 0-day exploits with AppGuard!

GhostRedirector Malware Exploits IIS to Hijack Search Results

Tony Chiappetta
by Tony Chiappetta
October 04, 2025

Cybersecurity researchers have uncovered a stealthy campaign — dubbed GhostRedirector — that has compromised Windows servers to manipulate search engine rankings for financial gain. The campaign uses two previously undocumented tools: a passive C++ backdoor called Rungan and a native IIS module named Gamshen, which only alters responses when Googlebot crawls the site. The result: infected web servers appear normal to human visitors while quietly serving manipulated content to search engines. We Live Security+1

What happened, in plain English

GhostRedirector operators gained access to at least 65 Windows servers across multiple countries and sectors. Once inside, they installed Rungan to maintain command execution on the host and Gamshen as a malicious Internet Information Services, or IIS, module. Gamshen’s trick is selective: it detects requests from Google’s crawler and then injects content or backlinks coming from the attackers’ command-and-control servers. That artificially boosts the search ranking of the attackers’ target websites, typically gambling sites, while leaving normal visitors none the wiser.

Researchers believe the campaign started at least in late 2024 and continued into 2025. Initial access likely involved web application vulnerabilities such as SQL injection, followed by use of PowerShell or CertUtil to fetch payloads and public privilege escalation exploits like EfsPotato and BadPotato to create persistent administrator accounts. This combination of common exploitation and custom tooling is what makes GhostRedirector effective and hard to detect with traditional approaches.

Why this matters for businesses

On the surface this may look like a niche SEO fraud case, but the implications are broader and dangerous for organizations of all sizes:

  • Compromised reputation. A legitimate business site that has been used as an unwitting SEO amplifier can suffer serious reputational damage, search engine penalties, and loss of customer trust.

  • Stealth persistence. Because Gamshen only serves malicious content to crawlers, many standard monitoring tools and human users never notice the compromise. That means infections can persist for months.

  • Lateral risk. The same foothold and privilege escalation techniques used to deploy Gamshen can be repurposed to drop ransomware, data exfiltration tools, or other destructive payloads. Attackers often repurpose access methods once they have administrator-level control.

In short, an incident that begins as SEO fraud is a clear example of how attackers can convert web-facing vulnerabilities into long-term enterprise risk.

Where traditional security falls short

Most defenses are built around detection: signatures, behavioral alerts, EDR alarms, SIEM rules, and reactive playbooks. Those tools are essential, but they assume you can detect malicious activity before it causes harm. GhostRedirector exposes the limits of that model:

  • If malicious code only runs for a specific crawler fingerprint, behavioral detection tuned for human traffic or generic web requests may never trigger.

  • Attackers who create rogue admin accounts or use privilege escalation can survive removal of individual backdoors. Without containment, the attacker’s ability to re-establish access remains high.

This is why many security leaders are rethinking their approach and moving beyond Detect and Respond toward Isolation and Containment.

Isolation and Containment: a better posture against threats like GhostRedirector

Isolation and Containment is about preventing untrusted or unknown code from running in ways that can harm your system, regardless of whether you have a specific signature or detection rule for it. Key principles include:

  • Application isolation. Preventing server processes and web site code from interacting with system components they should not touch. This reduces the blast radius if a web app is exploited.

  • Policy-based containment. Enforcing strict execution policies so that even if an attacker achieves admin-level access, they cannot run arbitrary binaries or load arbitrary modules.

  • Fail-safe defaults. Deny-by-default controls that only allow known-good behavior and block suspicious extensions like unauthorized IIS modules from loading.

When applied correctly, isolation prevents the attack vector used by GhostRedirector from ever becoming operational on a host, even if the initial exploit is successful.

Why AppGuard is the right fit

AppGuard has a 10-year track record of stopping real-world attacks by enforcing isolation and containment at the endpoint and server level. Instead of relying primarily on detection, AppGuard prevents untrusted code, modules, or processes from executing in ways that can modify system behavior or install persistence mechanisms. That approach is particularly effective against attacks like GhostRedirector because it blocks the harmful effect of loading malicious IIS modules and creating rogue administrator-level processes, regardless of whether the code matches a known signature.

For businesses looking to reduce risk fast, AppGuard’s proven Isolation and Containment model provides a practical path away from an overreliance on Detect and Respond. By stopping attack behaviors before they can escalate, AppGuard reduces the chance of long-term, stealthy compromises and the reputational and operational damage that follows.

Practical steps for organizations today

  1. Hunt for indicators. Use vendor reports and scans (for example ESET’s research) to check whether your servers show signs of unusual IIS modules, rogue admin accounts, or webshells.

  2. Patch and harden web apps. Fix SQL injection and other web vulnerabilities, remove unused IIS modules, and apply least privilege principles. Adopt containment-first controls. Deploy technologies that enforce runtime isolation and prevent unknown modules and binaries from changing host behavior. AppGuard is designed specifically for this purpose.

  3. Assume breach and minimize blast radius. Limit lateral movement, segment server roles, and block unnecessary admin capabilities.

Conclusion and call to action

GhostRedirector shows how modern attackers combine simple initial exploits with sophisticated, targeted tooling to remain invisible while extracting value. For business owners, the takeaway is clear: detection alone is not enough. You need containment-first controls that prevent malicious modules and backdoors from ever becoming effective.

Talk with us at CHIPS about how AppGuard can prevent incidents like GhostRedirector by shifting your security posture from Detect and Respond to Isolation and Containment. AppGuard has a decade of real-world success and is now commercially available to protect businesses from stealthy threats that evade traditional defenses. Contact CHIPS and let us show you how to stop the next GhostRedirector before it takes hold.

Like this article? Please share it with others!

 
Tags:
AppGuard, 0-day, Ransomware
Tony Chiappetta
Post by Tony Chiappetta
October 4, 2025
Follow me on my website Follow me on LinkedIn

Comments
How You Can Achieve Zero Trust Protection on an Endpoint

How You Can Achieve Zero Trust Protection on an Endpoint

Some IT Professionals say Zero Trust is impossible to implement however, the US Federal Government has been using these principles for decades.  Download our White Paper to learn how to fully secure your computers.