Overview

• ESET reports at least 65 Windows servers were compromised by the newly identified GhostRedirector group, with concentrations in Brazil, Thailand, Vietnam and the United States.
• The attackers deployed two previously undocumented tools: Rungan, a C++ backdoor for command execution, and Gamshen, an IIS module used to boost targeted sites, notably gambling platforms.
• Initial access likely stemmed from SQL injection, followed by privilege escalation via BadPotato and EfsPotato to create administrator accounts and sustain access.
• Researchers observed broad sector impact across education, healthcare, insurance, transportation, technology and retail, with cross-border hosting complicating victim geography.
• ESET assesses a medium-confidence China alignment based on code artifacts and a China-linked certificate, and advises auditing IIS modules, patching, restricting high-privilege use and monitoring PowerShell activity.