Illegal Gambling Operators Turn to Cyber Hacks to Climb Google Rankings

The battle against unlicensed gambling has taken a new twist with the discovery of GhostRedirector, a China-linked hacking group using sophisticated malware to bolster the online presence of offshore betting sites. Cybersecurity company ESET Research drew attention to this threat in a new report, warning that this new breed of cybercrime and gambling fraud could have potentially global consequences.

The New Exploit Manipulates Google Search Results

ESET revealed that GhostRedirector infected at least 65 Windows servers between December 2024 and June 2025. While most victims were located in Brazil, Thailand, and Vietnam, the company also unveiled isolated cases in the United States, Canada, India, the Netherlands, Finland, and Singapore. Curiously, the group has targeted education, healthcare, transportation, technology, and retail rather than focusing on a single field.

The observed patterns indicate that GhostRedirector’s primary motive was not espionage but rather gaining access to vast amounts of web traffic. The mechanics, while straightforward, are shockingly effective. After gaining access to systems, often through SQL injection vulnerabilities, attackers deploy two custom programs: Rungan, a backdoor that runs commands on the compromised machines, and Gamshen, a malicious IIS module that tampers with search engines.

Unlike ransomware or phishing attacks, Gamshen does not aim to fool regular users. Instead, it modifies the content shown to Google’s web crawler. GhostRedirector utilizes this mode of attack to bolster the ranking of select gambling websites, artificially elevating them higher in search results and exposing unsuspecting users to unregulated platforms. 

The Malicious Software Is Resilient and Difficult to Detect

Although regular users will likely never notice the injected code, the fact that the company’s domain becomes a vehicle for illegal gambling undermines their credibility and could result in blacklisting. ESET researcher Fernando Tavella, who made the discovery, noted that the malware cleverly avoids tipping off regular visitors to the affected websites, making it significantly more challenging to detect.

Gamshen only modifies the response when the request comes from Googlebot. It does not serve malicious content or otherwise affect regular visitors to the websites.

Fernando Tavella, ESET researcher

The group’s arsenal extends beyond Gamshen. Tools like EfsPotato and BadPotato allow attackers to escalate privileges, while rogue administrator accounts ensure long-term control. According to Tavella, GhostRedirector boasts impressive persistence layering itself across multiple access points so that purging one may not entirely eject the hackers, allowing them to continue using compromised infrastructure as springboards.

This new threat mirrors a similar cyberattack discovered in March, when a JavaScript hijack spread across thousands of legitimate websites worldwide. The attack redirected visitors to Chinese gambling portals, sometimes dressed up with branding from well-known operators like bet365. The link between the two episodes is clear, as operators who cannot get licensed in regulated markets resort to black-hat tactics to achieve visibility.