CN

GhostRedirectorGhostRedirector

Also known as: GhostRedirector

Origin
CN
Known aliases
1

Profile

GhostRedirector is a China-aligned threat actor that has compromised at least 65 Windows servers across various sectors, primarily in Brazil, Thailand, and Vietnam. It employs a passive C++ backdoor named Rungan and a malicious IIS module called Gamshen to maintain persistent access and manipulate search engine results for SEO fraud. The actor utilizes public exploits like EfsPotato and BadPotato for privilege escalation and abuses code-signing certificates to evade detection. GhostRedirector's operations involve installing remote access tools, creating rogue administrator accounts, and leveraging SQL injection vulnerabilities to execute PowerShell for downloading malicious payloads.

Aliases· 1

GhostRedirector

References

  1. https://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Actor
GhostEmperor
Actor
GhostR
Actor
DragonRank
Actor
UAT-8099
Actor
BatShadow
Actor
Red Menshen
Sourced from MISP-Galaxy Threat Actor cluster. Curated by Adam Lundqvist, Founder at SQUR.