Illegal Gambling Operators Exploit Cyber Hacks to Boost Google Rankings

Introduction to the New Threat

Unlicensed gambling websites are escalating their tactics by employing cyber hacks to improve their visibility on search engines. A hacking group linked to China, known as GhostRedirector, has been identified using advanced malware to artificially enhance the Google search rankings of offshore betting platforms. This alarming development, highlighted in a recent report by cybersecurity firm ESET Research, poses a significant risk on a global scale due to its deceptive and fraudulent nature.

How GhostRedirector Manipulates Search Results

Between December 2024 and June 2025, GhostRedirector compromised at least 65 Windows servers across various countries, predominantly in Brazil, Thailand, and Vietnam, with additional cases reported in the United States, Canada, India, the Netherlands, Finland, and Singapore. The attackers targeted a wide range of sectors including education, healthcare, transportation, technology, and retail rather than focusing on a specific industry.

Unlike typical espionage activities, the group’s main objective is to capture large volumes of web traffic. They exploit vulnerabilities, particularly SQL injection flaws, to install two custom tools on the infected systems: Rungan, a backdoor program that executes commands, and Gamshen, a malicious module that alters search engine responses.

Gamshen functions uniquely by serving altered content specifically to Google’s web crawler, without affecting regular users. This method enables the group to elevate the rankings of chosen gambling websites in Google search results, thereby directing unsuspecting users to these unregulated platforms.

Stealth and Persistence of the Malicious Software

The malware’s design ensures it remains undetected by ordinary website visitors, preserving the site’s normal appearance while covertly facilitating illicit gambling operations. This tactic not only damages the website’s reputation but also risks blacklisting by search engines, impacting legitimate traffic and credibility.

Fernando Tavella, a researcher at ESET, explains that Gamshen exclusively modifies responses to requests from Googlebot, leaving the user experience unchanged for typical site visitors. In addition to Gamshen, the attackers utilize other tools like EfsPotato and BadPotato to escalate privileges, creating rogue administrator accounts to maintain prolonged control over compromised systems.

The GhostRedirector group employs a layered persistence strategy, infiltrating multiple entry points so that removing one does not fully eliminate their access. This continued foothold allows them to use the hijacked infrastructure as launching pads for further exploitation.

Context and Related Incidents

This cyber threat echoes a previous attack discovered in March, where a JavaScript hijack infected thousands of legitimate websites globally. This attack redirected users to Chinese gambling portals, which were sometimes disguised with popular operator branding like bet365. These examples illustrate how operators who fail to secure legal licenses in regulated markets often turn to unethical and illegal practices to gain online exposure.