Cyber Creatures

ESET uncovered a new threat cluster dubbed GhostRedirector that compromised at least 65 Windows servers (mainly in Brazil, Thailand, and Vietnam) to install a passive C++ backdoor (“Rungan”) and a malicious IIS module (“Gamshen”) . The goal wasn’t ransomware—it was SEO fraud as-a-service : the IIS module quietly altered HTTP responses only for Googlebot , creating artificial backlinks to boost third-party (likely gambling) sites. Initial access likely came from SQL injection , followed by PowerShell-delivered tools, local privilege escalation using BadPotato/EfsPotato , and creation of rogue admin users for persistence. ESET assesses medium confidence the actor is China-aligned (hard-coded Chinese strings, China code-signing cert, “huang” password).   What happened (Key Points) Scope: ≥65 Windows servers compromised; victims span education, healthcare, insurance, transport, tech, retail ; activity seen since Aug–Dec 2024 and measured in June 2025 scans. Malware duo: Ru...

Summary of the Attack: On July 20, 2025, security researchers uncovered a coordinated two-pronged cyber campaign. One wave was attributed to pro-Islamist hacktivist collectives—Cyber Jihad Movement (CJM), Muslim Cyber Hacktivity (MCH), Anonymous Muslim Unity (AMU), and the Allied Muslim Hacktivist Coalition (AMHC)—launching public, disruptive operations. Simultaneously, the sophisticated nation-state actor APT28 (Fancy Bear) carried out stealthy espionage targeting logistics companies across NATO allied states. Though seemingly separate, forensic clues suggest both waves exploited similar router and SaaS access vulnerabilities.   Artifacts Discovered: Modified router firmware packages—bearing Islamic slogans and subtle malicious payloads within the bootloader region (CJM wave). SNMP logs showing exploitation of CVE-2017-6742 in Cisco devices and compromised Ubiquiti EdgeRouters (APT28 wave). Email mailbox permission alterations (e.g., Exchange and...