The Gaming Boardroom

Chinese Hackers Game Google to Boost Gambling Sites

Steve Tyler Leave a comment

Chinese Hackers Game Google to Boost Gambling Sites

Summary

Acybercrime operation ESET calls “GhostRedirector” has been compromising Windows web servers to install malware and a malicious native IIS module named Gamshen that injects backlinks when search-engine crawlers (like Googlebot) visit compromised sites. The campaign — active since at least August 2024 — has hit dozens of sites across Brazil, Vietnam, Thailand and a few US-hosted sites. Attackers appear to gain initial access via unpatched vulnerabilities (likely SQL injection), use PowerShell to fetch tools (including newly observed Rungan and Gamshen), and leverage privilege-escalation exploits such as EfsPotato and BadPotato. Gamshen works at the IIS module level, intercepting HTTP requests and selectively serving injected links to boost search rankings for targeted gambling sites.

Key Points

  • GhostRedirector is a professional SEO-poisoning operation that compromises Windows IIS servers to promote gambling websites.
  • Initial access likely comes from unpatched SQL injection flaws; the intruders use PowerShell to deploy tools.
  • Rungan is a passive backdoor enabling remote command execution; Gamshen is a native IIS module that injects backlinks for SEO manipulation.
  • Attackers exploit privilege-escalation flaws (EfsPotato, BadPotato) to gain high-level persistence on servers.
  • Victims are spread across many sectors (healthcare, education, transport, retail, tech) and mainly in Brazil, Vietnam, and Thailand.
  • ESET and Microsoft warn malicious IIS modules are hard to detect because they mimic legitimate modules and live in common directories.
  • Mitigations: restrict IIS module installation to trusted, signed components; use dedicated admin accounts, strong passwords and multi-factor authentication for IIS administrators.

Context and relevance

This is part of a growing trend where threat actors weaponise web-infrastructure features (native IIS modules) for covert persistence and niche fraud — here, SEO poisoning. Rather than deface sites or steal data, operators quietly manipulate search-engine indexing to funnel traffic to monetised gambling pages. For sysadmins, SEO teams and security ops, it underscores that webserver compromise can be used for reputational and revenue fraud as well as more traditional espionage or data theft. The technique is stealthy because malicious modules blend in with legitimate server extensions and respond differently depending on the requester (e.g. Googlebot), making detection and forensics trickier.

Why should I read this

Short and blunt: if you run Windows IIS sites or care about organic search, this is one of those sneaky attacks that quietly wrecks your SEO credibility and can be a massive pain to clean. It’s clever, persistent and almost invisible unless you look for it — so worth two minutes of your time to see what to lock down.

Author style

Punchy: this isn’t just another server compromise — it’s targeted manipulation of search ecosystems using high-privilege IIS modules. If your organisation hosts public-facing IIS apps, read the technical bits and act: limit module installs, enforce MFA and patch those SQL injection holes. Consider this a high-priority operational hygiene flag rather than academic reading.

Source

Source: https://www.darkreading.com/cyber-risk/chinese-hackers-google-boost-gambling-sites

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 The Gaming Boardroom. All rights reserved.