Skip to main content
Mallory
Back to threat actors
🇨🇳 CN2 malware families

GhostRedirector

Also known asghostredirector

GhostRedirector is a previously undocumented threat cluster reported by ESET that has compromised at least 65 Windows servers, primarily in Brazil, Thailand, and Vietnam. The actor has been active since at least August 2024 and is associated with SEO fraud operations targeting Microsoft IIS/Windows server environments. ESET reported that GhostRedirector deployed a passive C++ backdoor named Rungan and a malicious IIS module codenamed Gamshen. Gamshen was assessed to support SEO fraud-as-a-service by manipulating search engine results and facilitating redirection activity. Public reporting places GhostRedirector in the broader ecosystem of Chinese threat actors targeting IIS servers; it has been explicitly listed alongside Operation Rewrite, UAT-8099, DragonRank, and other China-aligned or Chinese-speaking IIS-focused clusters, but available reporting in the provided content does not establish it as the same operator as those groups. No additional aliases or sub-groups are directly supported in the provided content beyond GhostRedirector itself.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics2 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0003
Persistence
1 technique
T1505
Server Software Component
T1505.003
Web Shell
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Gamshen... and a native Internet Information Services (IIS) module codenamed Gamshen.4Mar 18, 2026
Rungan... led to the deployment of a passive C++ backdoor called Rungan ...3Mar 18, 2026
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
the hacker newsNews
Jun 5, 2026
New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework

China-aligned threat group observed targeting IIS web servers.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Cluster compromising Windows servers (noted in Brazil/Thailand/Vietnam) deploying Rungan backdoor and Gamshen IIS module for persistence/traffic manipulation.

Read more
alphahunt blogNews
Feb 10, 2026
[DEEP RESEARCH] BadIIS Isn’t Enough: The IIS Module + HTTP Fingerprints That Catch SEO-Fraud Cloaking

Separate IIS SEO-fraud/redirector activity cluster in the same problem space; treated as low-probability match to UAT-8099/WEBJACK unless specific GhostRedirector hallmarks (e.g., Rungan/Gamshen artifacts and associated domains) are present.

Read more
the hacker newsNews
Nov 7, 2025
From Log4j to IIS, China's Hackers Turn Legacy Bugs into Global Espionage Tools

Named as a Chinese threat actor known for targeting IIS servers (no additional details provided in this content).

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.