National authorities and IT securities in South America and Asia have been alerted to a new sophisticated criminal scheme that has compromised Windows servers to promote illegal gambling websites.

The scheme that has targeted audiences in Brazil, Vietnam, Thailand and parts of the US has been uncovered by online security agency ESET Research, experts in software vulnerabilities.

The scam was branded ‘GhostRedirector’ by ESET Research, who highlighted that criminals used a mesh of dark SEO tactics, malware and installing ghost software to manipulate users search algorithms and drive unsuspecting users toward illegal betting and casino platforms.

ESET’s investigation, published via its WeLiveSecurity portal, describes the operation as a “SEO fraud-as-a-service” model, in which cybercriminals leverage compromised Windows servers to inject hidden content into websites, redirect traffic, and elevate the search ranking of gambling domains without users’ knowledge.

“Victims are spread across multiple sectors—insurance, healthcare, retail, transport, technology, and education,” the ESET team explained. “We believe GhostRedirector aimed to impact users in South America and South Asia most heavily.”

Exploiting Google’s AI Shift

At the core of the attack is a malware module dubbed Gamshen, which manipulates Google’s indexing mechanisms to artificially boost the visibility of predefined websites, almost all of which are tied to unlicensed gambling and online casino activity.

The system preys on the growing complexity of Google’s search experience—particularly its move toward AI-generated summaries and natural language responses. The report suggests this transition creates vulnerabilities, as AI-generated results may be more easily gamed by embedded, malicious SEO tactics.

“When users search popular topics, they can be invisibly redirected to illegal gambling sites,” the report warned. “They might not even realise what triggered the redirection.”

The threat is twofold: it undermines the integrity of search engines and exposes users to security risks, scams, and privacy breaches, while also giving unlicensed operators a significant visibility advantage over regulated brands.

Ghost listings and Long-Tail Operation

ESET researchers noted the technical sophistication of the operation. In addition to redirection, GhostRedirector leverages a network of compromised servers to host and propagate the attack, making it resilient and difficult to dismantle.

The team emphasised that known Windows vulnerabilities were exploited to install multiple backdoors, giving attackers remote control over infected systems.

The infrastructure appears to be long-term and well-funded, with experts suggesting the campaign has been in operation for months, possibly years.

“It’s not just a one-off exploit,” one researcher stated. “It reflects a structured criminal enterprise with high levels of persistence and adaptability.”

Defensive Measures Recommended

ESET has called on IT administrators to strengthen cybersecurity on Windows servers, apply regular patch updates, monitor traffic and log anomalies, and deploy advanced backdoor detection systems.

End-users, particularly those active on betting platforms, are encouraged to remain vigilant for unexpected redirects and to use script blockers or browser security tools.

“We’re entering an era where search manipulation can be automated at scale,” concluded ESET. “Without proper defences, both users and regulators risk being outpaced by criminal innovation.”

The emergence of GhostRedirector raises new alarms for regulators in emerging markets, particularly Brazil, where illegal operators have long posed a challenge to market integrity and player protection.

As Brazil moves forward with its regulated betting framework, stakeholders have urged for enhanced cooperation between technology platforms, national cybersecurity agencies, and gambling regulators to safeguard the online ecosystem.

For licensed operators, the scheme represents a new frontier in black-market promotion—one that bypasses traditional affiliate networks and leverages malicious code and hijacked infrastructure.