Chinese threat actor Nezha and Gh0stRAT campaign
Campaign
Summary
Hide ▲
Show ▼
A Chinese threat actor is carrying out an ongoing Nezha and Gh0stRAT campaign that has compromised more than 100 organizations across six continents. The activity is concentrated in Southeast Asia, especially Taiwan, but victims also appear in Guatemala, Slovakia, and Tanzania. The operation gains access through exposed web panels and log poisoning before loading open-source tools and malware. Its breadth and repeated tool chain make it a sustained intrusion wave rather than a single compromise.
Related Happenings
Chinese threat actor campaigns against Taiwanese critical infrastructure in 2025
Campaign
First: 07.01.2026 16:00
Last: 07.01.2026 16:00
Sources 1
About this happening:
**Chinese cyber threat actors** intensified **campaigns against Taiwanese critical infrastructure** in **2025**, putting **energy**, **healthcare**, **communications**, **administ...
Chinese threat actor campaigns against Taiwanese critical infrastructure in 2025
CampaignAbout this happening: **Chinese cyber threat actors** intensified **campaigns against Taiwanese critical infrastructure** in **2025**, putting **energy**, **healthcare**, **communications**, **administ...
GrayBravo expands CastleLoader into a multi-cluster malware-as-a-service ecosystem
Threat Actor Meta
First: 09.12.2025 18:01
Last: 09.12.2025 18:01
Sources 1
About this happening:
**GrayBravo** has expanded **CastleLoader** into a **malware-as-a-service (MaaS)** ecosystem that now includes **CastleBot** and custom **CastleRAT** variants, widening access to...
GrayBravo expands CastleLoader into a multi-cluster malware-as-a-service ecosystem
Threat Actor MetaAbout this happening: **GrayBravo** has expanded **CastleLoader** into a **malware-as-a-service (MaaS)** ecosystem that now includes **CastleBot** and custom **CastleRAT** variants, widening access to...
Suspected China-linked Nezha-to-Gh0st RAT campaign
Campaign
First: 08.10.2025 16:56
Last: 08.10.2025 16:56
Sources 1
About this happening:
A **China-linked** intrusion campaign abused **Nezha** to deliver **Gh0st RAT**, giving the operators remote control over **more than 100 victim machines** across multiple countri...
Suspected China-linked Nezha-to-Gh0st RAT campaign
CampaignAbout this happening: A **China-linked** intrusion campaign abused **Nezha** to deliver **Gh0st RAT**, giving the operators remote control over **more than 100 victim machines** across multiple countri...
Nezha agent and Ghost RAT malware activity on compromised web servers
Malware Activity
First: 08.10.2025 16:00
Last: 08.10.2025 16:00
Sources 1
About this happening:
**Nezha** and **Ghost RAT** were installed on compromised web servers, giving attackers remote monitoring, task execution, and persistence. The malware chain mattered because it a...
Nezha agent and Ghost RAT malware activity on compromised web servers
Malware ActivityAbout this happening: **Nezha** and **Ghost RAT** were installed on compromised web servers, giving attackers remote monitoring, task execution, and persistence. The malware chain mattered because it a...
Timeline
-
08.10.2025 17:02 2 articles · 7mo ago
Chinese threat actor campaign uses Nezha and Gh0stRAT
Initial DisclosureA Chinese threat actor campaign using Nezha has compromised more than 100 organizations across six continents since August, with activity concentrated in Southeast Asia including Japan, South Korea, Hong Kong, Singapore, Malaysia, and Taiwan, and with additional victims in Guatemala, Slovakia, and Tanzania. The intrusion chain described for the affected organization used an exposed phpMyAdmin instance, log poisoning to plant a web shell, AntSword to manage the shell, Nezha to run commands through a C2 server, a broad Windows Defender exclusion for the C: folder, and final payload delivery of Gh0stRAT.
Show sources
- China-Nexus Actors Weaponize 'Nezha' Open Source Tool — www.darkreading.com — 08.10.2025 17:02
- China-Nexus Actors Weaponize 'Nezha' Open Source Tool — www.darkreading.com — 08.10.2025 17:02