Overview

• A June 2025 scan identified at least 65 compromised Windows servers, concentrated in Brazil, Thailand, Vietnam, Peru and the United States across sectors including education, healthcare, insurance, transportation, technology and retail.
• The operation uses a passive C++ backdoor named Rungan alongside a malicious IIS module called Gamshen to enable command execution and run SEO fraud that inflates rankings for third-party gambling domains.
• ESET reports initial access likely came via SQL injection, followed by PowerShell staging from 868id[.]com and privilege escalation using BadPotato or EfsPotato.
• Persistence techniques included creating privileged user accounts and deploying additional tools such as GoToHTTP, Zunput and Comdai, plus planting ASP, PHP and JavaScript webshells on IIS hosts.
• ESET assesses medium-confidence China alignment, citing hardcoded Chinese strings, a TrustAsia code-signing certificate issued to Shenzhen Diyuan Technology and the use of a password containing the Mandarin word "huang."