In a recent wave of cyber attacks, threat actors with suspected ties to China have repurposed the legitimate open-source monitoring tool Nezha to deploy the notorious Gh0st RAT malware. This campaign, observed by cybersecurity firm Huntress in August 2025, showcases the attackers’ technical proficiency and their ability to exploit publicly available tools for malicious purposes.
Initial Access via phpMyAdmin Exploitation
The attackers initiated their intrusion by targeting publicly exposed and vulnerable phpMyAdmin panels. Upon gaining access, they set the interface language to simplified Chinese, indicating a possible link to Chinese-speaking operators. This initial foothold allowed them to execute a series of SQL commands rapidly, enabling the deployment of a PHP web shell in a directory accessible over the internet.
Log Poisoning Technique
A notable aspect of this attack is the use of log poisoning, also known as log injection. By enabling general query logging, the attackers ensured that their malicious SQL queries were recorded in the server’s log files. They then crafted a query containing a one-liner PHP web shell, causing it to be logged. Crucially, they set the log file’s name with a .php extension, allowing it to be executed directly by sending POST requests to the server. This method effectively transformed the log file into an executable web shell, granting the attackers control over the server.
Deployment of ANTSWORD and Nezha Agent
With control established via the web shell, the attackers utilized ANTSWORD, a popular Chinese open-source website management tool, to execute commands on the compromised server. They ran the “whoami” command to determine the server’s privileges and subsequently deployed the Nezha agent. Nezha, originally designed for system monitoring and management, was repurposed by the attackers to remotely command the infected host by connecting it to an external server (“c.mid[.]al”).
Global Impact and Use of Russian-Language Dashboard
The intrusion is believed to have compromised over 100 victim machines worldwide, with a significant concentration in Taiwan, Japan, South Korea, and Hong Kong. Interestingly, the attackers operated their Nezha dashboard in Russian, suggesting a deliberate attempt to obfuscate their origins or possibly indicating collaboration with Russian-speaking entities. Victims were also identified in countries including Singapore, Malaysia, India, the U.K., the U.S., Colombia, Laos, Thailand, Australia, Indonesia, France, Canada, Argentina, Sri Lanka, the Philippines, Ireland, Kenya, and Macao.
Execution of Gh0st RAT
The Nezha agent facilitated the next stage of the attack: the execution of an interactive PowerShell script designed to create exclusions in Microsoft Defender Antivirus. This maneuver allowed the attackers to launch Gh0st RAT, a malware widely utilized by Chinese hacking groups. Gh0st RAT was executed through a loader, which in turn ran a dropper responsible for configuring and initiating the main payload.
Implications and Recommendations
This campaign underscores the increasing trend of threat actors abusing publicly available tools to achieve their objectives. The use of legitimate software like Nezha and ANTSWORD provides attackers with plausible deniability and can evade detection by security products.
To mitigate such threats, organizations are advised to:
– Regularly Update and Patch Systems: Ensure that all software, especially web-facing applications like phpMyAdmin, are up-to-date and patched against known vulnerabilities.
– Monitor Logs for Anomalies: Implement monitoring solutions to detect unusual activities in log files, such as unexpected PHP executions or changes in file extensions.
– Restrict Access to Critical Tools: Limit access to administrative tools and interfaces to authorized personnel only, and consider implementing multi-factor authentication.
– Educate Staff on Phishing and Social Engineering: Regular training can help staff recognize and avoid tactics used by attackers to gain initial access.
By adopting these measures, organizations can enhance their resilience against sophisticated cyber threats that exploit legitimate tools for malicious purposes.
