MalwareUsed by 1 actor

Gamshen

Gamshen is a malicious Microsoft Internet Information Services (IIS) module associated with the GhostRedirector threat actor and used to facilitate SEO fraud. Public reporting cited here states GhostRedirector compromised at least 65 Windows servers and deployed Gamshen alongside a passive C++ backdoor named Rungan. Reported victim geography primarily included Brazil, Thailand, and Vietnam. ESET assessed that Gamshen was used to provide SEO-fraud-as-a-service by manipulating search engine results, including redirect-oriented abuse tied to gambling-related outcomes. The malware targets Windows IIS servers and operates as an IIS module rather than a standalone payload. The content does not provide specific file hashes, domains, or other concrete IOC values for Gamshen beyond its name and association with GhostRedirector/Rungan.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

GhostRedirector

... and a native Internet Information Services (IIS) module codenamed Gamshen.

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1190Exploit Public-Facing ApplicationEvidence1

TacticInitial Access

"Once a vulnerable IIS server is found – either via security vulnerability or weak settings in the web server's file upload feature – the threat actor uses the foothold to upload web shells..."

Persistence

1 technique

T1505.003Web ShellEvidence1

TacticPersistence

"BadIIS ... Plants Web Shells"; "GhostRedirector ... native Internet Information Services (IIS) module"

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Native IIS module used in GhostRedirector compromises; likely for traffic manipulation/redirect behavior (implied by context); no further details in excerpt.

alphahunt blogNews

Feb 10, 2026

[DEEP RESEARCH] BadIIS Isn’t Enough: The IIS Module + HTTP Fingerprints That Catch SEO-Fraud Cloaking

Named tooling/artifact associated with GhostRedirector activity; used as a differentiator from UAT-8099/WEBJACK-style activity.

the hacker newsNews

Oct 6, 2025

Chinese Cybercrime Group Runs Global SEO Fraud Ring Using Compromised IIS Servers

Malicious IIS module used to facilitate SEO fraud; described as functionally similar to BadIIS in that it conditionally triggers SEO manipulation based on Google-originated requests (Googlebot User-Agent).

the hacker newsNews

Sep 8, 2025

⚡ Weekly Recap: Drift Breach Chaos, Zero-Days Active, Patch Warnings, Smarter Threats & More

Native IIS module used to provide SEO fraud-as-a-service by manipulating search engine results to boost rankings for a configured target website.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.