- Threat actors linked to China used the legitimate tool Nezha to deliver the Malware Gh0st RAT.
- Attackers exploited a vulnerable phpMyAdmin panel and employed log poisoning to install a web shell.
- More than 100 victim machines were compromised, mainly in Taiwan, Japan, South Korea, and Hong Kong.
- The attack involved deploying ANTSWORD web shell and running commands remotely via Nezha.
- The Nezha agent facilitated execution of PowerShell scripts to disable antivirus protections and run Gh0st RAT malware.
In August 2025, threat actors with suspected ties to China used an open-source monitoring tool called Nezha to deploy Gh0st RAT malware on compromised servers. The attackers exploited a publicly exposed phpMyAdmin panel, using a technique called log poisoning to plant a PHP web shell on the targets’ web servers.
This campaign affected over 100 machines, mostly located in Taiwan, Japan, South Korea, and Hong Kong, according to Cybersecurity firm Huntress. The attackers gained entry by setting the phpMyAdmin language to simplified Chinese and enabling SQL query logging, which allowed them to insert a web shell disguised as a log file with a .php extension.
Once the web shell was active, the threat actors used ANTSWORD to control the servers and deployed the Nezha agent, which can remotely execute commands on infected systems by connecting to an external control server. Huntress researchers Jai Minton, James Northey, and Alden Schmidt explained, “This allowed the threat actor to control the web server using ANTSWORD, before ultimately deploying Nezha, an operation and monitoring tool that allows commands to be run on a web server.”
The Nezha dashboard operated by the attackers was found running in Russian and showed more than 100 victim systems worldwide, including locations such as Singapore, Malaysia, India, the U.K., and the U.S. The deployed Nezha agent then enabled execution of PowerShell scripts that created exclusions in Microsoft Defender Antivirus. This action facilitated the launching of Gh0st RAT, malware commonly linked to Chinese Hacking groups.
Gh0st RAT is deployed via a loader and dropper that configure and start the main malicious process. Huntress noted that this case demonstrates how threat actors increasingly misuse legitimate public tools for malicious purposes due to their ease of use and ability to evade detection.
“While publicly available tooling can be used for legitimate purposes, it’s also commonly abused by threat actors due to the low research cost, ability to provide plausible deniability compared to bespoke malware, and likelihood of being undetected by security products,” the researchers concluded.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- SCO, BRICS Launch New Bank to Bypass US Dollar at 2025 Summit
- Coinbase Staking Approved in New York; CEO Urges More States to Act
- Ethereum’s Fusaka Upgrade Set for November, Boosts Scalability
- Tokenised Gold Demand Soars as Prices Hit Record $4,000 High
- Fireblocks Trust Partners with Bakkt, Galaxy to Boost Crypto Custody
