Researchers at Ontinue’s Cyber Defense Center have uncovered a significant threat as attackers exploit Nezha, a legitimate open-source server monitoring tool, for post-exploitation access.
The discovery reveals how sophisticated threat actors repurpose benign software to gain complete control over compromised systems while evading traditional security detection mechanisms.
Nezha, originally developed for the Chinese IT community, has garnered nearly 10,000 stars on GitHub and serves legitimate administrators in monitoring multiple servers, tracking resource usage, and performing remote maintenance.
The tool’s architecture comprises a central dashboard server coordinating lightweight agents deployed across monitored systems, enabling system health observation, command execution, file transfer, and interactive terminal sessions.
However, these same capabilities that make Nezha valuable for legitimate use have made it an attractive target for malicious actors seeking undetected remote access.
Ontinue analysts and researchers identified the malware being weaponized during a post-exploitation incident investigation.
A deployment bash script revealed the attacker’s infrastructure details, including command and control server addresses, authentication tokens, and a disabled TLS configuration.
.webp "Threat Actors Weaponizing Nezha Monitoring Tool as Remote Access Trojan 3")
The script contained naturally written Chinese-language status messages, suggesting a native speaker authored it.
Significantly, the threat actors managed to compromise hundreds of endpoints using this technique, demonstrating the scale of the threat.
The Threat Actor’s Deployment Strategy
The attacker’s approach demonstrates sophisticated operational tradecraft. The bash script included configuration parameters pointing to a C2 server hosted on Alibaba Cloud services at IP address 47.79.42.91, geolocalised to Japan.
Installation occurred silently on target systems, with detection only triggering when attackers executed commands through the agent. Ontinue researchers accessed the threat actor’s dashboard in a sandbox environment, discovering the full scope of compromised infrastructure.
.webp "Threat Actors Weaponizing Nezha Monitoring Tool as Remote Access Trojan 4")
What makes Nezha particularly dangerous is that when deployed, the agent runs with SYSTEM privileges on Windows and root access on Linux.
This occurs because the agent requires elevated permissions to read system metrics and manage processes.
When attackers request terminal sessions, inherited process context ensures shell access operates with full administrative capabilities. This eliminates any privilege escalation requirements that might otherwise alert defenders.
The legitimate binary achieved zero detections across 72 security vendors on VirusTotal because it genuinely is legitimate software pointed at attacker infrastructure. Detection evasion becomes trivial when the actual binary contains no malicious code, only misconfigured C2 endpoints.
File management, command execution, and interactive terminal capabilities provide complete post-compromise control without requiring additional tools or custom payload development.
Organisations should immediately hunt for Nezha presence and implement behavioural monitoring to identify suspicious terminal activity and file operations indicating compromise.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
