Oct 08, 2025Ravie LakshmananMalware / Menace Intelligence
Menace actors with suspected ties to China have turned a legit open-source monitoring instrument known as Nezha into an assault weapon, utilizing it to ship a recognized malware known as Gh0st RAT to targets.
The exercise, noticed by cybersecurity firm Huntress in August 2025, is characterised by way of an uncommon method known as log poisoning (aka log injection) to plant an online shell on an online server.
“This allowed the risk actor to manage the online server utilizing ANTSWORD, earlier than in the end deploying Nezha, an operation and monitoring instrument that enables instructions to be run on an online server,” researchers Jai Minton, James Northey, and Alden Schmidt mentioned in a report shared with The Hacker Information.
In all, the intrusion is alleged to have probably compromised greater than 100 sufferer machines, with a majority of the infections reported in Taiwan, Japan, South Korea, and Hong Kong.
The assault chain pieced collectively by Huntress reveals that the attackers, described as a “technically proficient adversary,” leveraged a publicly uncovered and weak phpMyAdmin panel to acquire preliminary entry, after which set the language to simplified Chinese language.
The risk actors have been subsequently discovered to entry the server SQL question interface and run numerous SQL instructions in fast succession so as to drop a PHP internet shell in a listing accessible over the web after making certain that the queries are logged to disk by enabling common question logging.
“They then issued a question containing their one-liner PHP internet shell, inflicting it to be recorded within the log file,” Huntress defined. “Crucially, they set the log file’s identify with a .php extension, permitting it to be executed instantly by sending POST requests to the server.”
The entry afforded by the ANTSWORD internet shell is then used to run the “whoami” command to find out the privileges of the online server and ship the open-source Nezha agent, which can be utilized to remotely commandeer an contaminated host by connecting to an exterior server (“c.mid[.]al”).
An attention-grabbing side of the assault is that the risk actor behind the operation has been working their Nezha dashboard in Russian, with over 100 victims listed the world over. A smaller focus of victims is scattered throughout Singapore, Malaysia, India, the U.Ok., the U.S., Colombia, Laos, Thailand, Australia, Indonesia, France, Canada, Argentina, Sri Lanka, the Philippines, Eire, Kenya, and Macao, amongst others.
The Nezha agent allows the subsequent stage of the assault chain, facilitating the execution of an interactive PowerShell script to create Microsoft Defender Antivirus exclusions and launch Gh0st RAT, a malware extensively utilized by Chinese language hacking teams. The malware is executed via a loader that, in flip, runs a dropper chargeable for configuring and beginning the primary payload.
“This exercise highlights how attackers are more and more abusing new and rising publicly out there tooling because it turns into out there to attain their objectives,” the researchers mentioned.
“As a result of this, it is a stark reminder that whereas publicly out there tooling can be utilized for legit functions, it is also generally abused by risk actors as a result of low analysis value, capability to supply believable deniability in comparison with bespoke malware, and chance of being undetected by safety merchandise.”
