GhostRedirector Exploit Hijacks 65+ Windows Applications

Cybercriminals abuse trusted Windows executables to redirect users, spread malware, and harvest sensitive data.

A new malware campaign dubbed GhostRedirector has compromised more than 65 legitimate Windows applications, weaponizing them to redirect users to malicious websites. Security researchers warn the large-scale abuse of trusted executables marks a dangerous escalation in software supply-chain exploitation, potentially impacting millions of users worldwide.

A sweeping cyberattack leveraging GhostRedirector has hijacked more than 65 popular Windows applications, turning trusted software into malicious redirectors that funnel users toward phishing sites, malware downloads, and credential theft operations, researchers said Friday.

Cybersecurity firm Trend Micro first documented the GhostRedirector campaign, which exploits Windows’ application behavior to quietly manipulate how programs connect to the internet. By injecting rogue instructions into legitimate executables, attackers can bypass traditional defenses and redirect traffic without raising user suspicion.

The targeted apps span a wide range of categories, including system utilities, multimedia tools, and office software, making the threat both widespread and stealthy. Researchers estimate that hundreds of thousands of machines could already be exposed.

“This is not just another malware strain—it’s a systemic abuse of trust in core applications,” said Ryan Flores, a senior researcher at Trend Micro. “Once attackers insert GhostRedirector hooks, users may never realize their favorite apps are weaponized against them.”

Technical Analysis

The hallmark of GhostRedirector is its ability to exploit DLL search order hijacking and application shimming techniques, both of which abuse the way Windows loads libraries during runtime:

• DLL Search Order Hijacking: Attackers drop a malicious dynamic-link library (DLL) in the same folder as a legitimate application. When the program runs, Windows prioritizes the local DLL, unknowingly executing the attacker’s payload.
• Application Shimming: By crafting malicious “shim” layers, attackers can alter how apps interact with the operating system, redirecting traffic or injecting malicious code without breaking the app’s normal functions.
• Persistence Mechanisms: GhostRedirector uses registry key modifications and scheduled tasks to ensure its redirect instructions survive reboots and updates.
• Command-and-Control (C2): Once a hijacked app redirects to attacker-controlled domains, the system communicates with a C2 server. From there, attackers can deploy secondary payloads like info-stealers, ransomware loaders, or spyware.

Researchers noted that the malicious DLLs are often disguised with names nearly identical to the original system files, making manual detection extremely difficult.

Impact & Response

The stealthy nature of GhostRedirector makes it particularly effective against enterprise networks:

• Phishing Campaigns: Redirected browsers load convincing login pages mimicking Microsoft 365, banking sites, and corporate portals.
• Malware Distribution: Users are tricked into downloading what appear to be updates, which are in fact droppers for ransomware or remote access trojans (RATs).
• Credential Harvesting: Once installed, the malware can extract stored credentials from browsers, email clients, and even VPN software.

Microsoft confirmed it is investigating, noting: “We strongly encourage customers to enable Defender for Endpoint advanced hunting queries and restrict the use of unsigned executables.”

• Ryan Flores, Trend Micro: “This is not just another malware strain—it’s a systemic abuse of trust in core applications.”
• Ciaran Martin, former head of the UK’s National Cyber Security Centre: “The exploitation of multiple widely-used apps is a classic supply-chain attack in miniature. The ripple effects could be profound.”
• El Mostafa Ouchen, cybersecurity expert and author of Mastering Kali Purple: “GhostRedirector shows that attackers are no longer focused only on vulnerabilities—they are hijacking functionality itself. Enterprises must implement behavioral anomaly detection and zero-trust execution policies to defend against such stealthy techniques.”

The attack echoes tactics from previous malware such as DLL SpyLoader and ShadowHammer, but at a much broader scale. Unlike traditional malware that infects via phishing emails or drive-by downloads, GhostRedirector piggybacks on the very executables users trust the most.

Security experts say this marks a dangerous evolution: while patch management addresses vulnerabilities, GhostRedirector proves attackers can weaponize functionality without relying on a CVE.

The GhostRedirector campaign illustrates a pivotal shift in attacker strategy: instead of exploiting flaws, they are exploiting trust. Experts believe this wave of attacks could accelerate global adoption of application allowlisting, endpoint monitoring, and AI-driven anomaly detection.

As Ouchen warned, “The battlefield has moved from patching vulnerabilities to monitoring behavior. The sooner enterprises accept that, the safer they’ll be.”

Sources:
This report is based on research published by Trend Micro, statements from Microsoft, and coverage by The Hacker News on the GhostRedirector campaign (September 2025).