ESET Research has discovered a new Chinese hacker group. The group, dubbed “GhostRedirector,” has already compromised 65 Windows servers with unique malware. So far, Europe has been spared. GhostRedirector targets companies in America and Southeast Asia and uses advanced backdoors to maintain access.
GhostRedirector shows remarkable determination by implementing multiple access methods. In addition to their own tools, they use publicly known exploits such as EfsPotato and BadPotato to create privileged user accounts. These serve as a backup option for when their primary backdoors are discovered.
“GhostRedirector demonstrates persistence and operational resilience by placing multiple remote access tools on compromised servers,” explains ESET researcher Fernando Tavella. The group also creates fake user accounts to maintain long-term access to compromised infrastructure.
New threat from China
ESET cyber researchers have uncovered a previously unknown Chinese hacker group that has compromised at least 65 Windows servers worldwide. The group, dubbed “GhostRedirector” by ESET, mainly attacked companies in Brazil, Thailand, Vietnam, and the United States.
The attackers use two custom-made tools: Rungan, a passive C++ backdoor, and Gamshen, a malicious Internet Information Services (IIS) module. The latter has a remarkable feature: it performs SEO fraud by manipulating Google search engine results.
Ongoing campaign since December
ESET’s telemetry shows that GhostRedirector was active between December 2024 and April 2025. An internet scan in June revealed even more victims. The group does not seem to target one specific sector, but attacks organizations in education, healthcare, insurance, transportation, technology, and retail.
ESET has informed all identified victims about the compromise and offers mitigation recommendations in a comprehensive white paper.
Read also: Russia-backed hackers attack Microsoft: senior leadership hacked