Unlawful Gambling Enterprises Employ Cyber Attacks to Boost Google Search Results

In a recent discovery by ESET Research, a new cyber threat group known as GhostRedirector has been found to be manipulating Google search results to boost the online presence of offshore betting sites. This China-linked hacking group, identified in 2025, targets a wide range of industries, including education, healthcare, transportation, technology, and retail.

GhostRedirector's primary motive is not espionage but gaining access to vast amounts of web traffic. The malware, cleverly designed to avoid tipping off regular visitors, has been found to infect at least 65 Windows servers between December 2024 and June 2025.

After gaining access to systems, GhostRedirector deploys two custom programs: Rungan, a backdoor that runs commands on the compromised machines, and Gamshen, a malicious IIS module that tampers with search engines. Gamshen modifies the content shown to Google's web crawler to artificially elevate the ranking of select gambling websites in search results.

The malware's resilience is due to the use of tools like EfsPotato and BadPotato for privilege escalation, and rogue administrator accounts for long-term control. Purging one access point may not entirely eject the hackers, allowing them to continue using compromised infrastructure.

The new exploit mirrors a similar cyberattack discovered in March, where a JavaScript hijack spread across thousands of legitimate websites worldwide. The primary victims of GhostRedirector were located in Brazil, Thailand, and Vietnam, but isolated cases were also found in the United States, Canada, India, the Netherlands, Finland, and Singapore.

It's important to note that GhostRedirector's tactics do not aim to deceive regular users, but rather expose them to unregulated gambling platforms. The company's domain, being used for illegal gambling, could result in blacklisting.

ESET Research warns that this new breed of cybercrime and gambling fraud could have potentially global consequences. As operators who cannot get licensed in regulated markets resort to black-hat tactics to achieve visibility, it's crucial for internet users to be vigilant and ensure they are accessing legitimate websites.

In the March attack, visitors were redirected to Chinese gambling portals, sometimes with branding from well-known operators like bet365. This link between the two episodes is clear, underscoring the need for continued vigilance in the digital landscape.

Unlawful Gambling Enterprises Employ Cyber Attacks to Boost Google Search Results