Security researchers have discovered a cyber campaign where Chinese-linked hackers are secretly manipulating Google search results to push gambling websites. The operation, uncovered by cybersecurity company ESET, has been named GhostRedirector. Evidence shows it started in August 2024 and was still active in June 2025, running undetected for many months.
The attackers managed to compromise at least 65 Windows web servers across several countries. Most of the infections were found in Brazil, Thailand, and Vietnam, while some were detected in the United States and Peru. Once inside, the hackers deployed custom malware that allowed them to stay hidden and alter how the servers interacted with Google’s systems.
Two malicious tools were used in this operation. The first was a C++ backdoor named Rungan, which provided remote access to the attackers. The second was a harmful IIS module called Gamshen, which became the main weapon of the campaign. Gamshen was designed to manipulate how websites behaved when visited by search engine crawlers.
Gamshen specifically targeted Googlebot, the crawler Google uses to index websites. Whenever Googlebot visited a hacked server, the module injected hidden backlinks that pointed to gambling websites. These backlinks made Google think the gambling sites were popular and trustworthy, pushing them higher in search rankings. Normal visitors, however, never saw these injected links.
The hackers are believed to have gained access by exploiting SQL injection vulnerabilities in web applications. After entry, they downloaded more tools through PowerShell and used known exploits like EfsPotato and BadPotato to gain administrator privileges. This allowed them to create new admin accounts and install their malicious IIS module with persistence.
By targeting Googlebot instead of direct users, the attackers found a stealthy way to achieve their goals. The gambling sites benefited from better visibility without the risk of alerting visitors or server owners. This method made the campaign harder to detect, since the manipulation only appeared during crawler interactions.
ESET has linked the activity to a China-aligned actor with medium confidence. The evidence includes Chinese-language strings found in the malware and a code-signing certificate issued to a Chinese company. While the exact identity of the group remains unknown, the technical clues strongly point toward a Chinese connection.
The impact of this campaign is significant for both organizations and users. Website owners face reputational harm when their servers are secretly abused for fraud. Users, meanwhile, may be misled by manipulated Google search results that prioritize gambling platforms, some of which may be illegal or unsafe.
What makes GhostRedirector especially concerning is its invisibility. Since the injected content is only shown to Google’s crawler, administrators may never realize their servers are compromised. This stealth allowed the attackers to keep the operation running for nearly a year before it was discovered.
ESET has advised organizations to patch vulnerabilities, especially SQL injection flaws, and to restrict the installation of IIS modules to trusted ones only. They also recommend strong authentication for administrators, scanning for indicators of compromise, and auditing servers regularly. The GhostRedirector case shows how attackers are finding new, creative ways to exploit trusted systems like search engines.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
