Ghost in the Search Machine: Chinese Hackers Hijack Google for Gambling Gold

Fast Facts

• ESET researchers uncovered "GhostRedirector," a Chinese-linked SEO manipulation campaign targeting Windows Web servers.
• Attackers use novel malware (Rungan and Gamshen) to hijack compromised sites and secretly serve links to gambling operations.
• Over 65 legitimate websites have been compromised since at least August 2024, with most victims in Brazil, Vietnam, and Thailand.
• The attackers exploit vulnerabilities to install hard-to-detect malicious modules within Microsoft’s IIS web server software.
• SEO poisoning tactics are not new - similar campaigns have been tracked by Cisco Talos and others in recent years.

Inside the Digital Casino: How Hackers Rig the Game

Imagine Google’s search results as a high-stakes casino floor - except, in this house, the games are rigged and the croupiers are hackers. According to ESET, a professional cybercrime outfit likely operating out of China has been quietly stacking the deck for months, leveraging a campaign dubbed "GhostRedirector." Their prize? Top search rankings for illicit gambling sites, achieved by hijacking the web servers of unsuspecting organizations across multiple continents.

How the Scheme Works: Malware Masquerade

The attackers’ toolkit is both cunning and technically advanced. First, they break into Windows-based web servers - often by exploiting unpatched security holes, such as SQL injection flaws. Once inside, they deploy malware tools with names like Rungan (a covert backdoor) and Gamshen (a malicious add-on for Microsoft’s IIS web server software). These digital parasites snuggle in alongside legitimate server components, making them nearly invisible to traditional security scans.

Gamshen, in particular, acts like a ghostly puppeteer. When Google’s search engine crawler visits a compromised website, Gamshen detects the bot and surreptitiously injects links to the hackers’ gambling sites into the page content. For regular visitors, the site appears untouched. But to Google, it’s suddenly brimming with backlinks to shady online casinos, artificially boosting those sites’ search rankings - a trick known as SEO poisoning.

The Bigger Picture: SEO Poisoning as a Cybercrime Tactic

This isn’t the first time Chinese-linked groups have weaponized search engines. In 2023, Cisco Talos documented a similar campaign by DragonFly, who also used malicious IIS modules (such as BadIIS) to manipulate web traffic and rankings for profit. Microsoft and Splunk have both warned about the growing threat of IIS-based malware, which can persist undetected for months thanks to its stealthy integration with legitimate web server software.

While GhostRedirector’s victims are scattered across sectors - healthcare, education, retail, and more - the common denominator is outdated or poorly defended Windows web servers. As online gambling remains heavily restricted or illegal in many regions, these campaigns highlight the global intersection of cybercrime, black-market economies, and the constant cat-and-mouse game between hackers and defenders.

Staying One Step Ahead

ESET’s advice is clear: organizations must lock down their web servers with strong passwords, multifactor authentication, and strict controls on what software modules can be installed. As attackers continue to innovate, the line between legitimate and malicious code grows ever thinner - leaving defenders with the challenge of spotting ghosts in the machine before the house loses everything.

WIKICROOK

• SEO Poisoning: SEO Poisoning is when attackers manipulate search results to promote malicious websites, tricking users into visiting harmful or fraudulent pages.
• IIS (Internet Information Services): IIS is Microsoft's web server software for hosting websites and applications on Windows servers, offering secure and scalable content delivery.
• Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
• SQL Injection: SQL Injection is a hacking technique where attackers insert malicious code into user inputs to trick a database into executing harmful commands.
• Privilege Escalation: Privilege escalation occurs when an attacker gains higher-level access, moving from a regular user account to administrator privileges on a system or network.