A sophisticated cyberattack campaign, active since August 2025, where a China-nexus threat actor has been weaponizing a legitimate server operations tool called Nezha to execute commands and deploy malware on compromised web servers.
This campaign, uncovered by Huntress, represents the first publicly reported instance of Nezha being abused in this manner, highlighting a tactical shift towards leveraging open-source tools to evade detection.
The attackers employed a creative log poisoning technique to gain initial access before deploying the notorious Ghost RAT, primarily targeting entities in Taiwan, Japan, South Korea, and Hong Kong.
The intrusion began with the exploitation of a vulnerable, public-facing phpMyAdmin panel that lacked proper authentication. After gaining access from an AWS-hosted IP in Hong Kong, the attackers immediately set the interface language to simplified Chinese.
They then used an inventive technique known as log poisoning to plant a web shell. By manipulating MariaDB’s logging functions, the threat actor set the general log file to a PHP file within the webroot.
They then executed an SQL query containing a one-liner PHP web shell, effectively writing their backdoor into the executable log file.
This method allowed them to execute arbitrary code on the server using tools like AntSword, which are designed to manage such backdoors.
After establishing control with the web shell, the adversary’s primary objective was to deploy a more persistent and versatile tool. They used the AntSword connection to download and execute live.exe, an installer for a Nezha agent.
Nezha is a legitimate, open-source tool for server monitoring and task management. However, in this case, it was repurposed as a malicious implant.
The agent’s configuration file pointed to the attacker’s command-and-control (C2) server, which was running a Nezha dashboard, Huntress said.
This dashboard, set to the Russian language, revealed the attackers had compromised over 100 victim machines across 53 regions, with a significant concentration in East Asia, aligning with China’s geopolitical interests.
With the Nezha agent providing stable and stealthy access, the attackers escalated their privileges. They used Nezha’s command execution capabilities to launch an interactive PowerShell session, where they created an exclusion rule in Windows Defender to avoid detection.
Immediately after, they deployed x.exe, a variant of the infamous Ghost RAT. Analysis of this malware revealed communication protocols and persistence mechanisms consistent with previous campaigns attributed to Chinese advanced persistent threat (APT) groups.
The incident underscores the necessity of hardening public-facing applications and monitoring for the abuse of legitimate software, as threat actors continue to adapt their playbooks to stay ahead of defenders.
| Category | Type | Indicator | Description |
|---|---|---|---|
| File | Path | C:xamphtdocs123.php | Web shell |
| File | SHA256 | f3570bb6e0f9c695d48f89f043380b43831dd0f6fe79b16eda2a3ffd9fd7ad16 | Web shell |
| File | URL | https://rism.pages[.]dev/microsoft.exe | Nezha Agent |
| File | Path | C:WindowsCursorslive.exe | Nezha Agent |
| File | SHA256 | 9f33095a24471bed55ce11803e4ebbed5118bfb5d3861baf1c8214efcd9e7de6 | Nezha Agent |
| File | Path | C:WindowsCursorsx.exe | Ghost RAT Payload |
| File | SHA256 | 7b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958 | Ghost RAT Payload |
| File | Path | C:Windowssystem32SQLlite.exe | Renamed rundll32.exe |
| File | SHA256 | 82611e60a2c5de23a1b976bb3b9a32c4427cb60a002e4c27cadfa84031d87999 | Renamed rundll32.exe |
| File | Path | C:Windowssystem3232138546.dll | Malicious DLL |
| File | SHA256 | 35e0b22139fb27d2c9721aedf5770d893423bf029e1f56be92485ff8fce210f3 | Malicious DLL |
| Infrastructure | IP Address | 54.46.50[.]255 | Initial Access IP |
| Infrastructure | IP Address | 45.207.220[.]12 | Web shell and Backdoor C2/Operator IP |
| Infrastructure | Domain | c.mid[.]al | Nezha C2 Domain |
| Infrastructure | IP Address | 172.245.52[.]169 | Nezha C2 IP |
| Infrastructure | Domain | gd.bj2[.]xyz | Backdoor C2/Operator Domain |
| Miscellaneous | Service Name | SQLlite | Persistence Service Name |
| Miscellaneous | Mutex | gd.bj2[.]xyz:53762:SQLlite | Infection Marker |
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
