Chinese Hackers Weaponized Nezha Tool to Execute Commands on Web Server


A sophisticated cyberattack campaign, active since August 2025, where a China-nexus threat actor has been weaponizing a legitimate server operations tool called Nezha to execute commands and deploy malware on compromised web servers.

This campaign, uncovered by Huntress, represents the first publicly reported instance of Nezha being abused in this manner, highlighting a tactical shift towards leveraging open-source tools to evade detection.

The attackers employed a creative log poisoning technique to gain initial access before deploying the notorious Ghost RAT, primarily targeting entities in Taiwan, Japan, South Korea, and Hong Kong.

The intrusion began with the exploitation of a vulnerable, public-facing phpMyAdmin panel that lacked proper authentication. After gaining access from an AWS-hosted IP in Hong Kong, the attackers immediately set the interface language to simplified Chinese.

They then used an inventive technique known as log poisoning to plant a web shell. By manipulating MariaDB’s logging functions, the threat actor set the general log file to a PHP file within the webroot.

They then executed an SQL query containing a one-liner PHP web shell, effectively writing their backdoor into the executable log file.

google

PHP Webshell
PHP Webshell

This method allowed them to execute arbitrary code on the server using tools like AntSword, which are designed to manage such backdoors.

After establishing control with the web shell, the adversary’s primary objective was to deploy a more persistent and versatile tool. They used the AntSword connection to download and execute live.exe, an installer for a Nezha agent.

Nezha is a legitimate, open-source tool for server monitoring and task management. However, in this case, it was repurposed as a malicious implant.

The agent’s configuration file pointed to the attacker’s command-and-control (C2) server, which was running a Nezha dashboard, Huntress said.

This dashboard, set to the Russian language, revealed the attackers had compromised over 100 victim machines across 53 regions, with a significant concentration in East Asia, aligning with China’s geopolitical interests.

Victims
Victims infected

With the Nezha agent providing stable and stealthy access, the attackers escalated their privileges. They used Nezha’s command execution capabilities to launch an interactive PowerShell session, where they created an exclusion rule in Windows Defender to avoid detection.

Immediately after, they deployed x.exe, a variant of the infamous Ghost RAT. Analysis of this malware revealed communication protocols and persistence mechanisms consistent with previous campaigns attributed to Chinese advanced persistent threat (APT) groups.

The incident underscores the necessity of hardening public-facing applications and monitoring for the abuse of legitimate software, as threat actors continue to adapt their playbooks to stay ahead of defenders.

Category Type Indicator Description
File Path C:xamphtdocs123.php Web shell
File SHA256 f3570bb6e0f9c695d48f89f043380b43831dd0f6fe79b16eda2a3ffd9fd7ad16 Web shell
File URL https://rism.pages[.]dev/microsoft.exe Nezha Agent
File Path C:WindowsCursorslive.exe Nezha Agent
File SHA256 9f33095a24471bed55ce11803e4ebbed5118bfb5d3861baf1c8214efcd9e7de6 Nezha Agent
File Path C:WindowsCursorsx.exe Ghost RAT Payload
File SHA256 7b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958 Ghost RAT Payload
File Path C:Windowssystem32SQLlite.exe Renamed rundll32.exe
File SHA256 82611e60a2c5de23a1b976bb3b9a32c4427cb60a002e4c27cadfa84031d87999 Renamed rundll32.exe
File Path C:Windowssystem3232138546.dll Malicious DLL
File SHA256 35e0b22139fb27d2c9721aedf5770d893423bf029e1f56be92485ff8fce210f3 Malicious DLL
Infrastructure IP Address 54.46.50[.]255 Initial Access IP
Infrastructure IP Address 45.207.220[.]12 Web shell and Backdoor C2/Operator IP
Infrastructure Domain c.mid[.]al Nezha C2 Domain
Infrastructure IP Address 172.245.52[.]169 Nezha C2 IP
Infrastructure Domain gd.bj2[.]xyz Backdoor C2/Operator Domain
Miscellaneous Service Name SQLlite Persistence Service Name
Miscellaneous Mutex gd.bj2[.]xyz:53762:SQLlite Infection Marker

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today

googlenews



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.