BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Chinese Hackers Abuse Nezha Tool to Deploy Gh0st RAT Malware

Chinese-linked threat actors leverage Nezha tool to deploy Gh0st RAT malware via phpMyAdmin exploit across Asia-Pacific and beyond

  • Threat actors linked to China used the legitimate tool Nezha to deliver the Malware Gh0st RAT.
  • Attackers exploited a vulnerable phpMyAdmin panel and employed log poisoning to install a web shell.
  • More than 100 victim machines were compromised, mainly in Taiwan, Japan, South Korea, and Hong Kong.
  • The attack involved deploying ANTSWORD web shell and running commands remotely via Nezha.
  • The Nezha agent facilitated execution of PowerShell scripts to disable antivirus protections and run Gh0st RAT malware.

In August 2025, threat actors with suspected ties to China used an open-source monitoring tool called Nezha to deploy Gh0st RAT malware on compromised servers. The attackers exploited a publicly exposed phpMyAdmin panel, using a technique called log poisoning to plant a PHP web shell on the targets’ web servers.

- Advertisement -

This campaign affected over 100 machines, mostly located in Taiwan, Japan, South Korea, and Hong Kong, according to Cybersecurity firm Huntress. The attackers gained entry by setting the phpMyAdmin language to simplified Chinese and enabling SQL query logging, which allowed them to insert a web shell disguised as a log file with a .php extension.

Once the web shell was active, the threat actors used ANTSWORD to control the servers and deployed the Nezha agent, which can remotely execute commands on infected systems by connecting to an external control server. Huntress researchers Jai Minton, James Northey, and Alden Schmidt explained, “This allowed the threat actor to control the web server using ANTSWORD, before ultimately deploying Nezha, an operation and monitoring tool that allows commands to be run on a web server.”

The Nezha dashboard operated by the attackers was found running in Russian and showed more than 100 victim systems worldwide, including locations such as Singapore, Malaysia, India, the U.K., and the U.S. The deployed Nezha agent then enabled execution of PowerShell scripts that created exclusions in Microsoft Defender Antivirus. This action facilitated the launching of Gh0st RAT, malware commonly linked to Chinese Hacking groups.

Gh0st RAT is deployed via a loader and dropper that configure and start the main malicious process. Huntress noted that this case demonstrates how threat actors increasingly misuse legitimate public tools for malicious purposes due to their ease of use and ability to evade detection.

- Advertisement -

“While publicly available tooling can be used for legitimate purposes, it’s also commonly abused by threat actors due to the low research cost, ability to provide plausible deniability compared to bespoke malware, and likelihood of being undetected by security products,” the researchers concluded.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Trump Slams Fed, Eyes Tech, Expects SpaceX Donation

President Donald Trump characterized the Federal Reserve board as "a little bit hostile" and...

Google Degrades 2M-Device NetNut Botnet Network

Google and law enforcement have degraded the NetNut proxy network, shrinking its pool of...

Tesla Launches Three-Row Model Y L in U.S.

Tesla launched a new three-row Model Y L SUV in the U.S. and Puerto...

Solana’s World flagged as phishing by Cloudflare after complaint

A new Solana prediction market called World has been flagged for "suspected phishing" by...

Analysts See Nvidia as a Bargain Despite Stock Pullback

NVIDIA stock closed July 1 at $197.58, well below its 52-week high, despite a...

Must Read

8 Best Crypto Debit Cards For Spending Your Digital Tokens

What are | How we chose | Best crypto debit cards | Binance Card? | FAQ | Final WordsCrypto debit cards have transformed how...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading