A classy cyberattack marketing campaign, lively since August 2025, the place a China-nexus menace actor has been weaponizing a official server operations instrument referred to as Nezha to execute instructions and deploy malware on compromised net servers.
This marketing campaign, uncovered by Huntress, represents the primary publicly reported occasion of Nezha being abused on this method, highlighting a tactical shift in direction of leveraging open-source instruments to evade detection.
The attackers employed a artistic log poisoning method to realize preliminary entry earlier than deploying the infamous Ghost RAT, primarily focusing on entities in Taiwan, Japan, South Korea, and Hong Kong.
The intrusion started with the exploitation of a weak, public-facing phpMyAdmin panel that lacked correct authentication. After gaining entry from an AWS-hosted IP in Hong Kong, the attackers instantly set the interface language to simplified Chinese language.
They then used an ingenious method referred to as log poisoning to plant an internet shell. By manipulating MariaDB’s logging features, the menace actor set the overall log file to a PHP file inside the webroot.
They then executed an SQL question containing a one-liner PHP net shell, successfully writing their backdoor into the executable log file.
PHP Webshell
This methodology allowed them to execute arbitrary code on the server utilizing instruments like AntSword, that are designed to handle such backdoors.
After establishing management with the net shell, the adversary’s major goal was to deploy a extra persistent and versatile instrument. They used the AntSword connection to obtain and execute reside.exe, an installer for a Nezha agent.
Nezha is a official, open-source instrument for server monitoring and job administration. Nonetheless, on this case, it was repurposed as a malicious implant.
The agent’s configuration file pointed to the attacker’s command-and-control (C2) server, which was operating a Nezha dashboard, Huntress stated.
This dashboard, set to the Russian language, revealed the attackers had compromised over 100 sufferer machines throughout 53 areas, with a major focus in East Asia, aligning with China’s geopolitical pursuits.
Victims contaminated
With the Nezha agent offering steady and stealthy entry, the attackers escalated their privileges. They used Nezha’s command execution capabilities to launch an interactive PowerShell session, the place they created an exclusion rule in Home windows Defender to keep away from detection.
Instantly after, they deployed x.exe, a variant of the notorious Ghost RAT. Evaluation of this malware revealed communication protocols and persistence mechanisms in keeping with earlier campaigns attributed to Chinese language superior persistent menace (APT) teams.
The incident underscores the need of hardening public-facing purposes and monitoring for the abuse of official software program, as menace actors proceed to adapt their playbooks to remain forward of defenders.
CategoryTypeIndicatorDescriptionFilePathC:xamphtdocs123.phpWeb shellFileSHA256f3570bb6e0f9c695d48f89f043380b43831dd0f6fe79b16eda2a3ffd9fd7ad16Web shellFileURLhttps://rism.pages[.]dev/microsoft.exeNezha AgentFilePathC:WindowsCursorslive.exeNezha AgentFileSHA2569f33095a24471bed55ce11803e4ebbed5118bfb5d3861baf1c8214efcd9e7de6Nezha AgentFilePathC:WindowsCursorsx.exeGhost RAT PayloadFileSHA2567b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958Ghost RAT PayloadFilePathC:Windowssystem32SQLlite.exeRenamed rundll32.exeFileSHA25682611e60a2c5de23a1b976bb3b9a32c4427cb60a002e4c27cadfa84031d87999Renamed rundll32.exeFilePathC:Windowssystem3232138546.dllMalicious DLLFileSHA25635e0b22139fb27d2c9721aedf5770d893423bf029e1f56be92485ff8fce210f3Malicious DLLInfrastructureIP Address54.46.50[.]255Initial Entry IPInfrastructureIP Address45.207.220[.]12Web shell and Backdoor C2/Operator IPInfrastructureDomainc.mid[.]alNezha C2 DomainInfrastructureIP Address172.245.52[.]169Nezha C2 IPInfrastructureDomaingd.bj2[.]xyzBackdoor C2/Operator DomainMiscellaneousService NameSQLlitePersistence Service NameMiscellaneousMutexgd.bj2[.]xyz:53762:SQLliteInfection Marker
Cyber Consciousness Month Provide: Upskill With 100+ Premium Cybersecurity Programs From EHA’s Diamond Membership: Be a part of At this time
