216.73.216.86

GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes

· Published 08/09/2025 07:31 · Modified 08/09/2025 09:29

Export JSON

Essential information

Published
08/09/2025 07:31
Modified
08/09/2025 09:29
Tags
2025-09-04 2025-09-08 backdoor china-aligned comdai gamshen iis module privilege-escalation rungan seo fraud windows servers zunput
Related entities
24 observables, 1 intrusion sets (apt), 4 malware, 16 others

Description

ESET researchers have identified a new threat actor named GhostRedirector that has compromised at least 65 , primarily in Brazil, Thailand, and Vietnam. The actor utilizes two previously undocumented tools: a passive C++ called and a malicious Internet Information Services (IIS) module named . While can execute commands on compromised servers, 's purpose is to manipulate search engine results, boosting the page ranking of configured target websites. The attacks appear to be opportunistic rather than targeting specific entities. GhostRedirector also employs public exploits like EfsPotato and BadPotato for privilege escalation. Based on various factors, including the use of Chinese strings and a Chinese code-signing certificate, ESET believes with medium confidence that GhostRedirector is a threat actor.

External references