Nezha agent and Ghost RAT malware activity on compromised web servers
Malware Activity
Summary
Hide ▲
Show ▼
Nezha and Ghost RAT were installed on compromised web servers, giving attackers remote monitoring, task execution, and persistence. The malware chain mattered because it also disabled Windows Defender and spread across more than 100 victim systems. Most affected hosts were in Taiwan, Japan, South Korea, and Hong Kong, showing a broad regional footprint.
Related Happenings
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Dragon Boss Solutions LLC adware malicious update
Malware Activity
First: 16.04.2026 22:07
Last: 16.04.2026 22:07
Sources 1
About this happening:
A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
Dragon Boss Solutions LLC adware malicious update
Malware ActivityAbout this happening: A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
SystemBC long-running global proxy malware operation
Malware Activity
First: 04.02.2026 18:15
Last: 04.02.2026 18:15
Sources 1
About this happening:
**SystemBC** is a long-running **proxy malware** operation that turns compromised hosts into **SOCKS5 relays** and is repeatedly used to support **ransomware activity**. New repor...
SystemBC long-running global proxy malware operation
Malware ActivityAbout this happening: **SystemBC** is a long-running **proxy malware** operation that turns compromised hosts into **SOCKS5 relays** and is repeatedly used to support **ransomware activity**. New repor...
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware Activity
First: 30.01.2026 14:08
Last: 30.01.2026 14:08
Sources 1
About this happening:
**BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware ActivityAbout this happening: **BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
Nezha post-exploitation remote access campaign
Campaign
First: 22.12.2025 16:30
Last: 22.12.2025 16:30
Sources 1
About this happening:
Attackers are abusing **Nezha** as a **post-exploitation remote access tool**, giving compromised hosts full command control and increasing the risk of **persistence** and **later...
Nezha post-exploitation remote access campaign
CampaignAbout this happening: Attackers are abusing **Nezha** as a **post-exploitation remote access tool**, giving compromised hosts full command control and increasing the risk of **persistence** and **later...
Timeline
-
08.10.2025 16:00 2 articles · 7mo ago
Nezha agent and Ghost RAT malware activity on compromised web servers
Initial DisclosureAttackers first abused an exposed **phpMyAdmin** panel and **MariaDB** log poisoning to plant a hidden **PHP web shell**. They then used **AntSword** to stage **live.exe**, which installed the **Nezha agent** on the compromised server.
Show sources
- Nezha Tool Used in New Cyber Campaign Targeting Web Applications — www.infosecurity-magazine.com — 08.10.2025 16:00
- Nezha Tool Used in New Cyber Campaign Targeting Web Applications — www.infosecurity-magazine.com — 08.10.2025 16:00