CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Nezha Agent Used in Web Application Intrusions

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

A cyber campaign targeting web applications has been ongoing since August 2025, using the open-source tool Nezha. The campaign exploits vulnerabilities in web applications to implant PHP web shells, which are managed using AntSword. The attackers use Nezha to execute PowerShell commands, disable Windows Defender, and deploy Ghost RAT malware. The campaign has primarily affected systems in East Asia, with additional infections worldwide. The attackers gained access through exposed phpMyAdmin panels, using SQL commands to plant a backdoor. They then used Nezha to execute PowerShell commands that disabled Windows Defender and deployed additional malware. The campaign highlights the need for robust patching and monitoring of public-facing applications. The attacker is believed to be a China-nexus threat actor, and the campaign has affected over 100 organizations on six continents. The Nezha dashboard was observed running in Russian, and the attackers used log poisoning to plant a web shell on the web server. The attackers set the language to simplified Chinese after gaining initial access and used a loader to execute Gh0st RAT, which was configured and started by a dropper. Nezha is a legitimate open-source server monitoring tool that provides system visibility and remote management features across Windows and Linux environments. The Nezha agent runs with elevated privileges by design, providing an interactive PowerShell session as NT AUTHORITY\SYSTEM on Windows and root access on Linux. The agent is installed silently and only becomes visible when attackers begin issuing commands, making traditional signature-based detection ineffective.

Timeline

  1. 22.12.2025 16:30 1 articles · 23h ago

    Nezha Agent Provides Elevated Privileges for Post-Exploitation Access

    The Nezha agent runs with elevated privileges by design, providing an interactive PowerShell session as NT AUTHORITY\SYSTEM on Windows and root access on Linux. The agent is installed silently and only becomes visible when attackers begin issuing commands, making traditional signature-based detection ineffective. The Nezha agent provides SYSTEM/root-level access, helping threat actors repurpose the tool to execute remote commands, access remote files, and access the compromised system using interactive shells.

    Show sources
    Open in new tab
  2. 08.10.2025 16:00 4 articles · 2mo ago

    Nezha Agent Deployed in Web Application Intrusions

    The cyber campaign began in August 2025, targeting web applications using the Nezha agent. The attackers exploited vulnerabilities in phpMyAdmin panels to plant a PHP web shell, which was managed using AntSword. The Nezha agent was then deployed to execute PowerShell commands, disable Windows Defender, and deploy Ghost RAT malware. The campaign has affected over 100 organizations across six continents, primarily in East Asia. The attacker is believed to be a China-nexus threat actor. The Nezha dashboard was observed running in Russian, and the attackers used log poisoning to plant a web shell on the web server. The attackers set the language to simplified Chinese after gaining initial access and used a loader to execute Gh0st RAT, which was configured and started by a dropper. The article provides new insights into the use of the Nezha tool, highlighting that it is a legitimate open-source server monitoring tool that has been repurposed by attackers to gain full remote control of compromised systems. The Nezha agent runs with elevated privileges by design, providing an interactive PowerShell session as NT AUTHORITY\SYSTEM on Windows and root access on Linux. The agent is installed silently and only becomes visible when attackers begin issuing commands, making traditional signature-based detection ineffective.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Storm-0249 Adopts Advanced Tactics for Ransomware Attacks

Storm-0249, previously known as an initial access broker, has escalated its operations by employing advanced tactics such as domain spoofing, DLL sideloading, and fileless PowerShell execution to facilitate ransomware attacks. These methods allow the threat actor to bypass defenses, infiltrate networks, maintain persistence, and operate undetected. The group has shifted from mass phishing campaigns to more precise attacks, leveraging the trust associated with signed processes for added stealth. The ultimate goal is to obtain persistent access to enterprise networks and monetize them by selling access to ransomware gangs.

Open in new tab

Chinese State-Sponsored Group Exploits Windows Zero-Day in Espionage Campaign Against European Diplomats

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. Microsoft has silently mitigated the vulnerability by changing LNK files in the November updates to display all characters in the Target field, not just the first 260. ACROS Security has also released an unofficial patch to limit shortcut target strings to 260 characters and warn users about potential dangers.

Open in new tab

Clop extortion campaign targets Oracle E-Business Suite

The **Clop ransomware gang** has expanded its extortion campaign beyond Oracle E-Business Suite (EBS) to target **Gladinet CentreStack file servers**, marking a new wave of data theft attacks as of **December 2025**. CentreStack, used by thousands of businesses across 49 countries, enables secure file sharing via web browsers and mapped drives without a VPN. Curated Intelligence warns that Clop is exploiting an **unknown vulnerability**—potentially a zero-day or unpatched flaw—in Internet-exposed CentreStack servers, with ransom notes left on compromised systems. Over **200 unique IPs** running CentreStack have been identified as potential targets. This follows Clop’s months-long exploitation of the **Oracle EBS zero-day (CVE-2025-61882)**, which has impacted **over 100 organizations**, including Harvard University, The Washington Post, GlobalLogic, LKQ Corporation, and Barts Health NHS Trust. The gang’s pattern of targeting file transfer and enterprise platforms—such as Accellion FTA, GoAnywhere MFT, and MOVEit Transfer—continues, with the U.S. Department of State now offering a **$10 million reward** for information linking Clop’s operations to foreign state sponsorship. The campaign underscores the gang’s persistent focus on high-value enterprise systems, leveraging zero-days and unpatched flaws to exfiltrate sensitive data before demanding ransoms.

Open in new tab

Exploitation of Ivanti EPMM Vulnerabilities (CVE-2025-4427, CVE-2025-4428) Leads to Malware Deployment

Two malware strains were discovered in an organization's network after attackers exploited two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, allow for authentication bypass and remote code execution, respectively. Attackers used these flaws to gain access to the EPMM server, execute arbitrary code, and maintain persistence. The attack began around May 15, 2025, following the publication of a proof-of-concept exploit. The malware sets include loaders that enable arbitrary code execution and data exfiltration. The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. A China-nexus espionage group was leveraging the vulnerabilities since at least May 15, 2025. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. Organizations are advised to update their EPMM instances, monitor for suspicious activity, and implement access restrictions to prevent unauthorized access to mobile device management systems.

Open in new tab

TA558 Uses AI-Generated Scripts to Deliver Venom RAT in Brazil Hotel Attacks

TA558, tracked as RevengeHotels, has launched new attacks targeting hotels in Brazil and Spanish-speaking markets. The group uses AI-generated scripts to deploy Venom RAT via phishing emails. The campaign aims to capture credit card data from guests and travelers. The threat actor has been active since 2015, focusing on hospitality and travel sectors. They have historically used various RATs and custom malware to achieve their goals. The latest campaign involves phishing emails with Portuguese and Spanish lures, leading to the download of malicious scripts and payloads. Venom RAT, based on Quasar RAT, includes features like data exfiltration, reverse proxy, and anti-kill mechanisms. It spreads via USB drives and disables Microsoft Defender Antivirus.

Open in new tab