← Back to BrewedIntel
malwarehighBackdoorIIS Module MalwareSearch ManipulationGhostRedirector

Sep 04, 2025 • ESET WeLiveSecurity

GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes

ESET researchers have identified GhostRedirector, a new threat actor targeting Windows servers with a passive C++ backdoor and a malicious IIS module designed...

Source
ESET WeLiveSecurity
Category
malware
Severity
high

Executive Summary

ESET researchers have identified GhostRedirector, a new threat actor targeting Windows servers with a passive C++ backdoor and a malicious IIS module designed to manipulate Google search results. The attackers focus on server-side implants for persistence, likely enabling SEO fraud or traffic redirection schemes. The passive backdoor architecture makes traditional detection challenging, as it avoids active network communications. Organizations running Windows servers with IIS should audit server configurations for unauthorized modules, monitor for anomalous service installations, and implement strict web server hardening practices. Behavioral monitoring and network traffic analysis are recommended for effective detection of this campaign.

Summary

ESET researchers have identified a new threat actor targeting Windows servers with a passive C++ backdoor and a malicious IIS module that manipulates Google search results

Published Analysis

ESET researchers have identified GhostRedirector, a new threat actor targeting Windows servers with a passive C++ backdoor and a malicious IIS module designed to manipulate Google search results. The attackers focus on server-side implants for persistence, likely enabling SEO fraud or traffic redirection schemes. The passive backdoor architecture makes traditional detection challenging, as it avoids active network communications. Organizations running Windows servers with IIS should audit server configurations for unauthorized modules, monitor for anomalous service installations, and implement strict web server hardening practices. Behavioral monitoring and network traffic analysis are recommended for effective detection of this campaign. ESET researchers have identified a new threat actor targeting Windows servers with a passive C++ backdoor and a malicious IIS module that manipulates Google search results ESET researchers have identified a new threat actor targeting Windows servers with a passive C++ backdoor and a malicious IIS module that manipulates Google search results

Linked Entities

  • GhostRedirector
Read original source