Replied in thread
@SecureOwl at least it was an attack and no AI-Research-Project #eset
#eset
3 posts3 participants0 posts today
GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes
ESET researchers have identified a new threat actor named GhostRedirector that has compromised at least 65 Windows servers, primarily in Brazil, Thailand, and Vietnam. The actor utilizes two previously undocumented tools: a passive C++ backdoor called Rungan and a malicious Internet Information Services (IIS) module named Gamshen. While Rungan can execute commands on compromised servers, Gamshen's purpose is to manipulate search engine results, boosting the page ranking of configured target websites. The attacks appear to be opportunistic rather than targeting specific entities. GhostRedirector also employs public exploits like EfsPotato and BadPotato for privilege escalation. Based on various factors, including the use of Chinese strings and a Chinese code-signing certificate, ESET believes with medium confidence that GhostRedirector is a China-aligned threat actor.
Pulse ID: 68be866a4aa60fd497b3a8d7
Pulse Link: https://otx.alienvault.com/pulse/68be866a4aa60fd497b3a8d7
Pulse Author: AlienVault
Created: 2025-09-08 07:31:54
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes
ESET researchers have identified a new threat actor, GhostRedirector, targeting Windows servers with custom tools. The group has compromised at least 65 servers, mainly in Brazil, Thailand, and Vietnam, across various sectors. Their arsenal includes Rungan, a passive C++ backdoor, and Gamshen, a malicious IIS module for SEO fraud. GhostRedirector also uses public exploits for privilege escalation and creates rogue user accounts to maintain access. The attacks aim to manipulate Google search results, promoting gambling websites through shady SEO techniques. Evidence suggests GhostRedirector is a China-aligned actor, active since at least August 2024. The campaign demonstrates sophisticated tactics for server compromise and long-term access maintenance.
Pulse ID: 68ba2380ae861d314e902af1
Pulse Link: https://otx.alienvault.com/pulse/68ba2380ae861d314e902af1
Pulse Author: AlienVault
Created: 2025-09-04 23:40:48
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
Na razie to proof of concept, ale zobaczymy co przyniesie przyszłość.
Źródła:
https://zurl.co/gsZXI
https://zurl.co/M7ayX
#cyberbezpieczeństwo #eset #ransomware #promptlock
New threat group uses custom tools to hijack search results https://www.helpnetsecurity.com/2025/09/04/ghostredirector-seo-fraud-threat-group/ #cybercrime #threats #China #News #ESET
Help Net Security · New threat group uses custom tools to hijack search results - Help Net SecurityGhostRedirector is a threat group that hijacks servers to run SEO fraud, boosting gambling sites by manipulating Google search rankings.
First AI-Powered Ransomware PromptLock Targets Windows, Linux and macOS https://hackread.com/first-ai-promptlock-ransomware-windows-linux-macos/ #ArtificialIntelligence #Ransomware #Security #ChatGPT #Windows #OpenAI #Linux #macOS #eset #AI
Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto · First AI-Powered Ransomware PromptLock Targets Windows, Linux and macOSFollow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread
Agentic AI coding assistant helped attacker breach, extort 17 distinct organizations https://www.helpnetsecurity.com/2025/08/28/agentic-ai-malicious-use/ #Artificialintelligence #cybercriminals #NorthKorea #Don'tmiss #Anthropic #datatheft #extortion #Hotstuff #News #ESET #LLMs #APT
Help Net Security · Agentic AI coding assistant helped attacker breach, extort 17 distinct organizations - Help Net Security
More from 
Zeljka Zorz
First AI-Powered Ransomware PromptLock Targets Windows, Linux and macOS – Source:hackread.com https://ciso2ciso.com/first-ai-powered-ransomware-promptlock-targets-windows-linux-and-macos-sourcehackread-com/ #1CyberSecurityNewsPost #artificialintelligence #CyberSecurityNews #Ransomware #Hackread #security #Chatgpt #Windows #OpenAI #Linux #macOS #eset #AI
CISO2CISO.COM & CYBER SECURITY GROUP · First AI-Powered Ransomware PromptLock Targets Windows, Linux and macOS – Source:hackread.comSource: hackread.com - Author: Waqas. ESET has identified PromptLock, the first AI-powered ransomware, using OpenAI models to generate scripts that tar
PromptLock: Erste KI-gestützte Ransomware entdeckt
#Cyberangriffe #Anthropic #Eset #OpenAIModell #PromptLock #Ransomware #VirusTotal https://sc.tarnkappe.info/956e2c
TARNKAPPE.INFO · PromptLock: Erste KI-gestützte Ransomware entdecktNeue Ransomware namens PromptLock entdeckt. Die Schadsoftware erstellt Skripte mit KI in Echtzeit und führt sie direkt aus.
Fake macOS help sites push Shamos infostealer via ClickFix technique https://www.helpnetsecurity.com/2025/08/25/fake-macos-help-sites-push-shamos-infostealer-via-clickfix-technique/ #socialengineering #malvertising #CrowdStrike #CheckPoint #Don'tmiss #Microsoft #Hotstuff #malware #macOS #News #ESET
Help Net Security · Fake macOS help sites push Shamos infostealer via ClickFix technique - Help Net Security
More from Zeljka Zorz
WinRAR, altra vulnerabilità zero-day scoperta da ESET
https://gomoot.com/winrar-altra-vulnerabilita-zero-day-scoperta-da-eset/
Gomoot : tecnologia e lifestyle Scopri le ultime novità in fatto di hardware, tecnologia IA e altro · WinRAR vulnerabile: scoperta da ESET la falla CVE-2025-8088Scoperta da ESET, la vulnerabilità WinRAR CVE-2025-8088 può diventare un'arma informatica capace di installare malware nei percorsi di avvio di Windows
WinRAR zero-day was exploited by two threat actors (CVE-2025-8088) https://www.helpnetsecurity.com/2025/08/12/winrar-zero-day-cve-2025-8088-attacks/ #RussianFederation #cyberespionage #spearphishing #Don'tmiss #Hotstuff #backdoor #BI.ZONE #exploit #Canada #Europe #WinRAR #0-day #News #ESET #APT
Help Net Security · WinRAR zero-day was exploited by two threat actors (CVE-2025-8088) - Help Net Security
More from Zeljka Zorz
WinRAR zero day exploited by RomCom hackers in targeted attacks https://www.helpnetsecurity.com/2025/08/11/winrar-zero-day-cve-2025-8088/ #cybersecurity #vulnerability #backdoor #software #WinRAR #News #ESET #CVE
Help Net Security · WinRAR zero day exploited by RomCom hackers in targeted attacks - Help Net SecurityCVE-2025-8088, a WinRAR zero-day, is used in spearphishing campaigns against financial, manufacturing, defense, and logistics firms.
WinRAR Zero-Day CVE-2025-8088 Exploited to Spread RomCom Malware https://hackread.com/winrar-zero-day-cve-2025-8088-spread-romcom-malware/ #Cybersecurity #Vulnerability #CyberAttack #Security #Malware #RomCom #Russia #WinRAR #0day #eset
Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto · WinRAR Zero-Day CVE-2025-8088 Exploited to Spread RomCom MalwareFollow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread
WinRAR Zero-Day CVE-2025-8088 Exploited to Spread RomCom Malware – Source:hackread.com https://ciso2ciso.com/winrar-zero-day-cve-2025-8088-exploited-to-spread-romcom-malware-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #Vulnerability #CyberAttack #Hackread #security #malware #RomCom #Russia #WinRAR #0day #eset
CISO2CISO.COM & CYBER SECURITY GROUP · WinRAR Zero-Day CVE-2025-8088 Exploited to Spread RomCom Malware – Source:hackread.comSource: hackread.com - Author: Deeba Ahmed. Critical WinRAR flaw CVE-2025-8088 exploited by Russia-linked hackers to spread RomCom malware, update to v
For some time now I've been pondering the notion of ridding myself of #Microsoft anything in my life but comfort and familiarity kept me from doing so.
Thankfully the company has been making strides in feeding my hatred for them; with their constant bothering me with features I don't want/need, pushing their craptastic stochastic parrot tools in to everything that not even notepad is safe from it, making it hard to do simple things like logins because I refuse to use authenticator or outlook, burning boatloads of money in dumb stuff whilst firing their employees, wasting tons of energy and water to fuel their parrot's lies whilst stealing the works of authors, artists and many more to train the parrot's limited capabilities to deceive, lie and make shit up.
Anyways, so my two daily drivers are a couple of #Asus machines, a venerable 2 in 1 and a more recent vivobook. The old gal was barely running windows 10 and the new one was constantly dealing with windows 11 crapiness. The keyword or tense being was. They are both now running #linux - #endeavouros to be precise.
Have canceled my #eset license since I won't be needing it anymore and the #office365 as well.
So long Microsoft.
@sidalsolgun @daniel1820815 personally, if you actually want/need some "#Antivirus" on #Linux, consider #ESET's offering...
https://help.eset.com/eeau/12/en-US/
https://www.eset.com/us/business/download/endpoint-antivirus-linux/
Personally, I consider Antivirus on Linux as #bloatware outside of #Fileserver and #eMail systems, but that's because I act as "#BenevolentDictator" and ban users from using external drives.
- But that's me who actually invests the time and effort to educate #TechIlliterates and who's working in more sensitive IT than most.
So the tolerance to violations is near zero and proven willingful infraction of ITsec rules range from getting fired to jailtime in many situations.
- Thus Antivirus, regardless in #ClamAV or commercial offerings, is not a threat when most systems require insiders (like modern "#Affiliate" #Ransomware) to plant them.
help.eset.comOverview | ESET Endpoint Antivirus for Linux 12ESET Endpoint Antivirus for Linux offers fast, efficient protection with On-demand and On-access scanning, ideal for Linux desktops.
#ClickFix went from virtually non-existent to the second most common attack vector blocked by #ESET, surpassed only by #phishing. This novel social engineering technique accounted for nearly 8% of all detections in H1 2025. #ESETresearch
ClickFix lures users by displaying bogus error messages followed by quick fix instructions, including copy-pasting malicious code. Running the code in the victim’s command line interpreter delivers malware such as #RATs, infostealers, and cryptominers.
Between H2 2024 and H1 2025, ESET’s detection for ClickFix, HTML/FakeCaptcha, skyrocketed by 517%. Most detections in ESET telemetry were reported from Japan (23%), Peru (6%), and Poland, Spain, and Slovakia (>5% each).
What makes #ClickFix so effective? The fake error message looks convincing; instructions are simple, yet the copied command is too technical for most users to understand. Pasting it into cmd leads to compromise with final payloads, including #DarkGate or #LummaStealer.
While #ClickFix was introduced by cybercriminals, it’s since been adopted by APT groups: Kimsuky, Lazarus; Callisto, Sednit; MuddyWater; APT36. NK-aligned actors used it to target developers, steal crypto and passwords from Metamask and #macOS Keychain.
#ClickFix uses psychological manipulation by presenting fake issues and offering quick solutions, which makes it dangerously efficient. It appears in many forms – error popups, email attachments, fake reCAPTCHAs – highlighting the need for greater vigilance online.
Read more in the #ESETThreatReport:
https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025