A newly uncovered cyber campaign featuring the open-source tool Nezha has been observed targeting vulnerable web applications.
Beginning in August 2025, Huntress analysts traced a sophisticated intrusion that used creative log poisoning techniques to implant a PHP web shell, later managed with AntSword and followed by the installation of both the Nezha agent and Ghost RAT malware.
The discovery marks the first public reporting of Nezha being used to facilitate web server compromises. The monitoring and task-management utility, typically employed for legitimate system administration, was repurposed by threat actors linked to China-based infrastructure.
How the Attack Unfolded
Huntress investigators found that the attackers gained access through a phpMyAdmin panel exposed to the internet.
Using an AWS-hosted IP, they switched the interface language to Simplified Chinese before executing a series of SQL commands. These actions enabled the general query log in MariaDB and directed it to write to a .php file, effectively planting a hidden backdoor within normal log data.
The intruders then controlled the compromised web server using AntSword, downloading a file named “live.exe,” which turned out to be the Nezha agent. Once installed, this agent connected to a command server at c.mid[.]al, allowing remote monitoring and task execution.
“This incident highlights the requirement to ensure that public-facing applications are patched,” Huntress researchers said.
“By understanding the step-by-step process used by attackers like this, we can better tune our tools.”
Read more on web shells: Microsoft: Attackers Actively Compromising On-Prem SharePoint Customers
Huntress found that more than 100 victim systems were communicating with the attacker’s Nezha dashboard.
Most affected machines were located in Taiwan, Japan, South Korea and Hong Kong. Analysts also noted a small number of infections worldwide, including in the US, India and several European nations.
The attackers utilized Nezha to execute PowerShell commands that disabled Windows Defender scans before deploying “x.exe,” a variant of Ghost RAT.
The malware established persistence under the name “SQLlite” and communicated with command-and-control (C2) domains registered through China-linked entities.
Protective Measures
Huntress researchers recommended that organizations take several defensive measures to prevent similar intrusions.
These include:
-
Ensuring public-facing applications are patched and hardened
-
Making sure authentication is required wherever possible, including in test environments
-
Gaining visibility and detection logic to spot post-exploitation activity such as web shells, suspicious service creation and executables running from unusual directories
Defenders must remain alert as threat actors continue to blend legitimate software with malicious intent to evade detection.
