Attackers with suspected ties to China turned a legitimate open source monitoring tool called Nezha into an attack weapon and used it to deliver known malware called Gh0st RAT to their targets.
The activity, observed by cybersecurity firm Huntress in August 2025, features the use of an unusual technique called log poisoning (also known as log injection) to plant a web shell on a web server.
“This allowed the attackers to use ANTSWORD to take control of the web server before ultimately deploying Nezha, a manipulation and monitoring tool that allowed them to execute commands on the web server,” researchers Jai Minton, James Northey, and Alden Schmidt said in a report shared with The Hacker News.
This intrusion likely compromised over 100 victim machines in total, with the majority of infections reported in Taiwan, Japan, South Korea, and Hong Kong.
The attack chain compiled by Huntress shows that the attacker, described as a “technically skilled adversary,” leveraged a publicly vulnerable phpMyAdmin panel to gain initial access and set the language to Simplified Chinese.
The attacker was then found to access the server’s SQL query interface, execute various SQL commands in rapid succession, and drop a PHP web shell into a directory accessible over the internet, after enabling general query logging and ensuring that queries were logged to disk.
“They then issued a query containing a one-liner PHP web shell, which was recorded in the log file,” Huntress explained. “The key is to name the log files with a .php extension so that they can be executed directly by making a POST request to the server.”
The access granted by the ANTSWORD web shell is used to run the “whoami” command, determine the permissions of the web server, and deliver the open source Nezha agent. This agent can be used to remotely take over infected hosts by connecting to an external server (‘c.mid’).[.]Al”).
An interesting aspect of this attack is that the attackers behind this operation run the Nezha dashboard in Russian, and it lists over 100 victims worldwide. Smaller victims are scattered across Singapore, Malaysia, India, the United Kingdom, the United States, Colombia, Laos, Thailand, Australia, Indonesia, France, Canada, Argentina, Sri Lanka, the Philippines, Ireland, Kenya, and Macau.
The Nezha agent enables the next stage in the attack chain, facilitating the execution of interactive PowerShell scripts to create Microsoft Defender Antivirus exclusions and launch the Gh0st RAT, a malware widely used by Chinese hacker groups. The malware is executed by a loader, which runs a dropper that is responsible for configuring and starting the main payload.
“This activity highlights how attackers are increasingly exploiting newly released tools to achieve their goals,” the researchers said.
“This is another reminder that while publicly available tools can be used for legitimate purposes, they are often exploited by threat actors due to their lower research costs, their ability to provide plausible deniability compared to custom-built malware, and their greater likelihood of being undetected by security products.”
Source link
