{"id":3151,"date":"2025-10-08T14:56:37","date_gmt":"2025-10-08T14:56:37","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/10\/08\/nezha-tool-used-in-new-cyber-campaign-targeting-web-applications\/"},"modified":"2025-10-08T14:56:37","modified_gmt":"2025-10-08T14:56:37","slug":"nezha-tool-used-in-new-cyber-campaign-targeting-web-applications","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/10\/08\/nezha-tool-used-in-new-cyber-campaign-targeting-web-applications\/","title":{"rendered":"Nezha Tool Used in New Cyber Campaign Targeting Web Applications"},"content":{"rendered":"
\n

A newly uncovered cyber campaign featuring the open-source tool Nezha has been observed targeting vulnerable web applications.<\/p>\n

Beginning in August 2025, Huntress analysts traced a sophisticated intrusion that used creative log poisoning\u00a0techniques to implant a PHP web shell, later managed with AntSword and followed by the installation of both the Nezha agent and Ghost RAT malware.<\/p>\n

The discovery marks the first public reporting of Nezha being used to facilitate web server compromises. The monitoring and task-management utility, typically employed for legitimate system administration, was repurposed by threat actors linked to China-based infrastructure.\u00a0<\/p>\n

How the Attack Unfolded<\/h2>\n

Huntress investigators found that the attackers gained access through a phpMyAdmin panel exposed to the internet.<\/p>\n

Using an AWS-hosted IP, they switched the interface language to Simplified Chinese before executing a series of SQL commands. These actions enabled the general query log in MariaDB and directed it to write to a .php file, effectively planting a hidden backdoor within normal log data.<\/p>\n

The intruders then controlled the compromised web server using AntSword, downloading a file named \u201clive.exe,\u201d which turned out to be the Nezha agent. Once installed, this agent connected to a command server at c.mid[.]al, allowing remote monitoring and task execution.<\/p>\n

\u201cThis incident highlights the requirement to ensure that public-facing applications are patched,\u201d\u00a0Huntress researchers said.<\/p>\n

\u201cBy understanding the step-by-step process used by attackers like this, we can better tune our tools.\u201d<\/p>\n

Read more on web shells: Microsoft: Attackers Actively Compromising On-Prem SharePoint Customers<\/em><\/p>\n

Huntress found that more than 100 victim systems were communicating with the attacker\u2019s Nezha dashboard.<\/p>\n

Most affected machines were located in Taiwan, Japan, South Korea and Hong Kong. Analysts also noted a small number of infections worldwide, including in the US, India and several European nations.<\/p>\n

The attackers utilized Nezha to execute PowerShell commands that disabled Windows Defender scans before deploying \u201cx.exe,\u201d a variant of Ghost RAT.<\/p>\n

The malware established persistence under the name \u201cSQLlite\u201d\u00a0and communicated with command-and-control (C2) domains registered through China-linked entities.<\/p>\n

Protective Measures<\/h2>\n

Huntress researchers recommended that organizations take several defensive measures to prevent similar intrusions.<\/p>\n

These include:<\/p>\n