Risk actors with suspected ties to China have turned a reputable open-source monitoring instrument known as Nezha into an assault weapon, utilizing it to ship a recognized malware known as Gh0st RAT to targets.
The exercise, noticed by cybersecurity firm Huntress in August 2025, is characterised by means of an uncommon method known as log poisoning (aka log injection) to plant a internet shell on an online server.
“This allowed the risk actor to manage the online server utilizing ANTSWORD, earlier than finally deploying Nezha, an operation and monitoring instrument that permits instructions to be run on an online server,” researchers Jai Minton, James Northey, and Alden Schmidt stated in a report shared with The Hacker Information.
In all, the intrusion is alleged to have doubtless compromised greater than 100 sufferer machines, with a majority of the infections reported in Taiwan, Japan, South Korea, and Hong Kong.
The assault chain pieced collectively by Huntress exhibits that the attackers, described as a “technically proficient adversary,” leveraged a publicly uncovered and weak phpMyAdmin panel to acquire preliminary entry, after which set the language to simplified Chinese language.
The risk actors have been subsequently discovered to entry the server SQL question interface and run varied SQL instructions in fast succession with a purpose to drop a PHP internet shell in a listing accessible over the web after guaranteeing that the queries are logged to disk by enabling common question logging.
“They then issued a question containing their one-liner PHP internet shell, inflicting it to be recorded within the log file,” Huntress defined. “Crucially, they set the log file’s title with a .php extension, permitting it to be executed instantly by sending POST requests to the server.”
The entry afforded by the ANTSWORD internet shell is then used to run the “whoami” command to find out the privileges of the online server and ship the open-source Nezha agent, which can be utilized to remotely commandeer an contaminated host by connecting to an exterior server (“c.mid[.]al”).
An fascinating facet of the assault is that the risk actor behind the operation has been working their Nezha dashboard in Russian, with over 100 victims listed internationally. A smaller focus of victims is scattered throughout Singapore, Malaysia, India, the U.Okay., the U.S., Colombia, Laos, Thailand, Australia, Indonesia, France, Canada, Argentina, Sri Lanka, the Philippines, Eire, Kenya, and Macao, amongst others.
The Nezha agent permits the following stage of the assault chain, facilitating the execution of an interactive PowerShell script to create Microsoft Defender Antivirus exclusions and launch Gh0st RAT, a malware broadly utilized by Chinese language hacking teams. The malware is executed via a loader that, in flip, runs a dropper chargeable for configuring and beginning the principle payload.
“This exercise highlights how attackers are more and more abusing new and rising publicly accessible tooling because it turns into accessible to attain their targets,” the researchers stated.
“Attributable to this, it is a stark reminder that whereas publicly accessible tooling can be utilized for reputable functions, it is also generally abused by risk actors because of the low analysis price, means to supply believable deniability in comparison with bespoke malware, and chance of being undetected by safety merchandise.”
