Security researchers have uncovered a sophisticated cyberattack campaign where Chinese threat actors are exploiting web applications using an innovative log poisoning technique to deploy web shells and subsequently weaponize Nezha, a legitimate server monitoring tool, for malicious command execution.
Creative Attack Methodology Discovered
Beginning in August 2025, cybersecurity firm Huntress identified an intrusion where attackers employed log poisoning to plant a China Chopper web shell on vulnerable web servers.
This technique represents a creative approach to gaining initial access, allowing threat actors to control compromised systems using AntSword before deploying Nezha for persistent command execution capabilities.
The attack chain begins with exploiting vulnerable phpMyAdmin panels that lack proper authentication mechanisms.
Threat actors immediately set the language to simplified Chinese upon accessing these administrative interfaces, indicating the likely origin of the attackers.
Within 30 seconds of language configuration, attackers proceed to execute SQL commands designed to enable general query logging and deploy their web shell payload.
The log poisoning technique involves manipulating MariaDB’s general logging functionality to write malicious PHP code directly into log files with executable extensions.
By setting the log file name to include a .php extension and placing it within the web server’s accessible directory structure, attackers effectively hide their web shell among legitimate log entries while maintaining remote access capabilities.
Following successful web shell deployment, threat actors download and install Nezha agents on compromised systems.
Nezha, marketed as a lightweight open-source server monitoring and task management tool, provides legitimate functionality for system administration but has been repurposed by threat actors for malicious command execution and persistent access.
Analysis reveals that attackers configured their Nezha dashboard in Russian language settings while managing over 100 compromised victim machines across multiple geographic regions, with Taiwan, Japan, South Korea, and Hong Kong showing the highest concentration of affected systems.
Investigation of the threat actor’s infrastructure revealed suspicious autonomous system registrations and domain generation algorithms consistent with advanced persistent threat operations.
The attackers utilized cloud-based infrastructure spanning multiple providers, including AWS-hosted IP addresses in Hong Kong and virtual private servers in Dublin, demonstrating sophisticated operational security practices.
The campaign demonstrates how threat actors increasingly abuse publicly available tools to achieve their objectives while maintaining plausible deniability compared to custom malware development.
The low research costs, reduced detection probability, and legitimate tool appearance make this approach particularly attractive for sustained operations.
Organizations should also consider implementing network segmentation and monitoring solutions capable of detecting suspicious administrative tool usage patterns.
The following table contains comprehensive indicators of compromise associated with the Chinese threat actor campaign utilizing Nezha monitoring tools for malicious command execution on web servers.
| Category | Item | Type | Description |
| Files | C:xampphtdocs123.php | File Path | Web shell file location |
| Files | f3570bb6e0f9c695d48f89f043380b43831dd0f6fe79b16eda2a3ffd9fd7ad16 | SHA256 Hash | Web shell file hash |
| Files | https://rism.pages[.]dev/microsoft.exe | Download URL | Nezha Agent download source |
| Files | C:WindowsCursorslive.exe | File Path | Downloaded Nezha Agent executable |
| Files | 9f33095a24471bed55ce11803e4ebbed5118bfb5d3861baf1c8214efcd9e7de6 | SHA256 Hash | Nezha Agent file hash |
| Files | C:WindowsCursorsx.exe | File Path | Ghost RAT payload file |
| Files | 7b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958 | SHA256 Hash | Ghost RAT payload hash |
| Files | C:Windowssystem32SQLlite.exe | File Path | Renamed rundll32.exe for persistence |
| Files | 82611e60a2c5de23a1b976bb3b9a32c4427cb60a002e4c27cadfa84031d87999 | SHA256 Hash | Renamed rundll32.exe hash |
| Files | C:Windowssystem3232138546.dll | File Path | Malicious DLL component |
| Infrastructure | 54.46.50[.]255 | IP Address | Initial access IP address |
| Infrastructure | 45.207.220[.]12 | IP Address | Web shell C2 operator IP |
| Infrastructure | c.mid[.]al | Domain | Nezha C2 domain |
| Infrastructure | 172.245.52[.]169 | IP Address | Nezha C2 IP address |
| Infrastructure | gd.bj2[.]xyz | Domain | Backdoor C2 domain |
| Miscellaneous | SQLlite | Service Name | Persistence service identifier |
| Miscellaneous | gd.bj2[.]xyz:53762:SQLlite | Mutex | Infect |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
