Skip to main content
CybersecurityInfrastructure

GhostRedirector: Exclusive Dangerous IIS Backdoor Revealed

GhostRedirector: Exclusive Dangerous IIS Backdoor Revealed

GhostRedirector Hits 65 Windows Servers via Rungan, Gamshen

GhostRedirector: a stealthy new threat that alters web traffic at the server

Imagine discovering that a building’s front door has been secretly converted into a side entrance—one that lets strangers slip in unnoticed and monitor who comes and goes. That metaphor captures the risk revealed this week when researchers at ESET documented a previously unknown threat cluster they named GhostRedirector. According to the report, attackers have compromised at least 65 Windows web servers across Brazil, Thailand and Vietnam, installing a passive C++ backdoor called Rungan and a native Internet Information Services (IIS) module capable of manipulating web traffic at the server level.

The combination of a lightweight implant and an IIS module makes GhostRedirector particularly insidious. Instead of noisy, overt attacks, defenders are up against a set of tools designed for persistence and subtle traffic manipulation—redirecting users, injecting content, exfiltrating data or acting as a man-in-the-middle without altering DNS records or visible site content. For organizations that rely on IIS to deliver web services, the implications are serious: attackers with server-level access can intercept credentials, alter responses seen by users, or layer additional malicious payloads into legitimate traffic flows.

What ESET found

ESET’s analysis breaks GhostRedirector down into two primary components:
– Rungan: a passive C++ backdoor that implements classic remote-access features—persistence, command execution and file manipulation—while aiming to remain low-profile on infected hosts.
– Native IIS module (referred to by ESET as a traffic-manipulation module): a server-level component that hooks into IIS to intercept and change incoming HTTP requests and outgoing responses.

This pairing is significant because it combines covert remote access (Rungan) with the high-impact ability to tamper with live web interactions at scale (the IIS module). The result is a platform that favors long-term surveillance and opportunistic data collection over quick, destructive operations.

Geographic focus and attribution

Most victims are concentrated in Brazil, Thailand and Vietnam. That regional clustering raises questions about targeting priorities—are attackers focusing on specific sectors in these countries, or is regional exposure a consequence of server misconfiguration patterns? ESET’s report deliberately refrains from firm attribution, focusing instead on technical indicators and attacker behavior. That caution is standard when direct links to a nation-state or organized criminal group can’t be established with high confidence.

Why this matters to defenders

Web servers are chokepoints: compromise one, and you potentially affect every user who interacts with it. GhostRedirector exemplifies how attackers can exploit that centrality. An IIS-level compromise can:
– Intercept credentials and session tokens
– Serve malicious content selectively, without altering site appearance for all users
– Redirect specific visitors to attacker-controlled infrastructure
– Stage supply-chain-style compromise by injecting scripts into otherwise legitimate pages

For system administrators and security teams, the episode is a wake-up call: unknown native modules loaded into web servers are high-value indicators that merit immediate scrutiny.

Practical steps to detect and remediate GhostRedirector

ESET’s work also translates into concrete actions defenders should prioritize:
– Inventory IIS modules and plugins: identify any unknown native modules or recently modified binaries. Native code loaded into IIS should be rare and clearly justified.
– Verify file integrity: compare web server binaries and modules against known-good images. Investigate unexpected persistence mechanisms or service wrappers.
– Monitor network egress: look for anomalous connections from web servers to C2 domains or unusual internal traffic patterns.
– Apply least privilege and segmentation: limit the permissions of web server processes and isolate web-facing services (network segmentation, containers, or dedicated hosts).
– Use endpoint/server detection tools: hunt for Rungan artifacts and indicators published by ESET and other reputable vendors.

Broader implications

GhostRedirector underlines several persistent gaps in defensive posture. First, attackers continue to combine off-the-shelf and bespoke tooling in novel ways that evade standard detection. Second, attribution limits leave defenders without a clear sense of motive, complicating escalation to law enforcement or diplomatic responses. Third, targeting core infrastructure like web servers gives attackers outsized leverage: a single compromised host can ripple through many users and dependent services.

Public reporting like ESET’s is crucial because it equips hosting providers, national CERTs and enterprises with the indicators needed to hunt and mitigate similar intrusions. But the effectiveness of such reporting depends on rapid, cross-sector sharing and on defenders actually applying the recommended mitigations.

Conclusion: treat web servers as frontline assets — GhostRedirector shows why

GhostRedirector demonstrates how a previously undocumented cluster can turn trusted web infrastructure into a covert gateway for surveillance and manipulation. For administrators, incident responders and policy makers alike, the immediate takeaway is simple and urgent: assume compromise is possible, verify the integrity of IIS modules and binaries, and harden web-facing services with least privilege, segmentation and continuous monitoring. The internet’s plumbing can hide unexpected passages—closing them requires vigilance, timely information sharing, and a defense posture that treats web servers as the frontline assets they are.