CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Nezha Agent Used in Web Application Intrusions

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A cyber campaign targeting web applications has been ongoing since August 2025, using the open-source tool Nezha. The campaign exploits vulnerabilities in web applications to implant PHP web shells, which are managed using AntSword. The attackers use Nezha to execute PowerShell commands, disable Windows Defender, and deploy Ghost RAT malware. The campaign has primarily affected systems in East Asia, with additional infections worldwide. The attackers gained access through exposed phpMyAdmin panels, using SQL commands to plant a backdoor. They then used Nezha to execute PowerShell commands that disabled Windows Defender and deployed additional malware. The campaign highlights the need for robust patching and monitoring of public-facing applications. The attacker is believed to be a China-nexus threat actor, and the campaign has affected over 100 organizations on six continents. The Nezha dashboard was observed running in Russian, and the attackers used log poisoning to plant a web shell on the web server. The attackers set the language to simplified Chinese after gaining initial access and used a loader to execute Gh0st RAT, which was configured and started by a dropper.

Timeline

  1. 08.10.2025 16:00 3 articles · 7d ago

    Nezha Agent Deployed in Web Application Intrusions

    The cyber campaign began in August 2025, targeting web applications using the Nezha agent. The attackers exploited vulnerabilities in phpMyAdmin panels to plant a PHP web shell, which was managed using AntSword. The Nezha agent was then deployed to execute PowerShell commands, disable Windows Defender, and deploy Ghost RAT malware. The campaign has affected over 100 organizations across six continents, primarily in East Asia. The attacker is believed to be a China-nexus threat actor. The Nezha dashboard was observed running in Russian, and the attackers used log poisoning to plant a web shell on the web server. The attackers set the language to simplified Chinese after gaining initial access and used a loader to execute Gh0st RAT, which was configured and started by a dropper.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Clop extortion campaign targets Oracle E-Business Suite

The Clop ransomware gang has been exploiting multiple vulnerabilities in Oracle E-Business Suite since at least August 2025, including the zero-day vulnerability CVE-2025-61882. The gang has been sending extortion emails to executives at multiple organizations, claiming to have stolen sensitive data. The campaign involves a high-volume email blast from hundreds of compromised accounts, some previously linked to the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. CrowdStrike attributes the exploitation of CVE-2025-61882 to the Cl0p ransomware gang with moderate confidence, and the first known exploitation occurred on August 9, 2025. The exploit involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. Oracle has released an emergency patch for the zero-day vulnerability and shared indicators of compromise. The exploit was leaked by a group called Scattered Lapsus$ Hunters, raising questions about their potential collaboration with Clop. Oracle has confirmed that known vulnerabilities in its E-Business Suite, patched in July 2025, may have been exploited in these attacks. The July 2025 Critical Patch Update addressed 309 vulnerabilities across Oracle's product range, including nine for E-Business Suite. Three of these vulnerabilities are critical and three others are exploitable remotely without authentication. The extortion emails are part of a broader campaign, with the attackers sending messages from compromised accounts, some previously associated with the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. Mandiant and GTIG are investigating the claims and recommend that organizations receiving these emails investigate their environments for unusual access or compromise in their Oracle E-Business Suite platforms. The UK’s National Cyber Security Centre (NCSC) has advised Oracle EBS customers to patch the critical vulnerability CVE-2025-61882, which is being exploited by the Clop ransomware group. The NCSC has urged customers to apply an emergency security update from Oracle, published over the weekend, to address the zero-day vulnerability CVE-2025-61882. The vulnerability impacts Oracle EBS versions 12.2.3-12.2.14 and allows unauthenticated attackers to send specially crafted HTTP requests to the affected component, resulting in full system compromise. The NCSC has warned that the Scattered Lapsus$ Hunters group has leaked the exploit used by the Clop gang, increasing the risk of opportunistic attacks on Oracle customers. Rapid7 has advised customers of affected Oracle EBS instances to conduct threat hunting to detect any potential malicious activity, given that exploitation in-the-wild may have occurred since August 2025. CISA has added CVE-2025-61882 to the Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by October 27, 2025. WatchTowr Labs warns of potential mass, indiscriminate exploitation from multiple groups within days. Harvard University is the first confirmed victim of the recent cybercrime campaign targeting customers of Oracle’s E-Business Suite (EBS) solution. The hackers have made available over 1.3 TB of archive files that allegedly contain Harvard data. The organization believes the incident impacts a limited number of parties associated with a small administrative unit. The vulnerability exploited by the hackers has been patched and there is no evidence of other systems being compromised. Google’s Threat Intelligence Group (GTIG) and Mandiant believe dozens of organizations have been targeted. The cybercriminals behind the Oracle EBS campaign sent out extortion emails to executives at the targeted organizations on behalf of the Cl0p ransomware group, likely due to the reputation it has built after conducting similar campaigns in the past. Those campaigns targeted customers of Cleo, MOVEit, Fortra and Accellion file transfer products. The attacks targeting Oracle EBS customers appear to have involved the exploitation of known and zero-day vulnerabilities, as well as the deployment of sophisticated malware. CrowdStrike reported that exploitation of the software flaws appears to have started on August 9, but Google has seen some indication that the attacks may have begun as early as July 10.

Open in new tab

Exploitation of Ivanti EPMM Vulnerabilities (CVE-2025-4427, CVE-2025-4428) Leads to Malware Deployment

Two malware strains were discovered in an organization's network after attackers exploited two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, allow for authentication bypass and remote code execution, respectively. Attackers used these flaws to gain access to the EPMM server, execute arbitrary code, and maintain persistence. The attack began around May 15, 2025, following the publication of a proof-of-concept exploit. The malware sets include loaders that enable arbitrary code execution and data exfiltration. The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. A China-nexus espionage group was leveraging the vulnerabilities since at least May 15, 2025. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. Organizations are advised to update their EPMM instances, monitor for suspicious activity, and implement access restrictions to prevent unauthorized access to mobile device management systems.

Open in new tab

TA558 Uses AI-Generated Scripts to Deliver Venom RAT in Brazil Hotel Attacks

TA558, tracked as RevengeHotels, has launched new attacks targeting hotels in Brazil and Spanish-speaking markets. The group uses AI-generated scripts to deploy Venom RAT via phishing emails. The campaign aims to capture credit card data from guests and travelers. The threat actor has been active since 2015, focusing on hospitality and travel sectors. They have historically used various RATs and custom malware to achieve their goals. The latest campaign involves phishing emails with Portuguese and Spanish lures, leading to the download of malicious scripts and payloads. Venom RAT, based on Quasar RAT, includes features like data exfiltration, reverse proxy, and anti-kill mechanisms. It spreads via USB drives and disables Microsoft Defender Antivirus.

Open in new tab

Chinese Malware Campaigns Exploit SEO and GitHub Pages to Distribute HiddenGh0st, Winos, and kkRAT

Chinese-speaking users are targeted by a malware campaign using SEO poisoning and fake software sites to distribute HiddenGh0st, Winos, and kkRAT. The campaign manipulates search rankings and uses trojanized installers to deliver the malware. The attacks exploit vulnerabilities in popular software and use various techniques to evade detection and maintain persistence. The malware is designed to establish command-and-control communication, monitor user activity, and steal sensitive information. The campaign was discovered in August 2025 and involves multiple malware families, including HiddenGh0st and Winos, which are variants of Gh0st RAT. The attacks use fake software sites and GitHub Pages to distribute the malware, exploiting the trust associated with legitimate platforms. The malware employs sophisticated techniques to evade detection and maintain persistence, including anti-analysis checks and TypeLib COM hijacking.

Open in new tab

Chinese State-Sponsored Actors Target Global Critical Infrastructure

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group and a newly identified group named RedNovember, have been conducting sustained campaigns to compromise critical infrastructure networks worldwide. The campaigns aim to gain long-term access to telecommunications, government, transportation, lodging, and military networks. This activity has been detailed in a joint advisory by CISA, NSA, FBI, and international partners, including Canada, Australia, New Zealand, the UK, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain. The advisory provides intelligence on tactics used by these actors and recommends mitigations to strengthen defenses. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning instructing critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China. The agency has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level. The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests. The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO. The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The threat actors have exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access and have modified routers to maintain persistent access and pivot into other networks. The advisory also notes that the APT actors may target other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc. RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms. The group has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions, along with the Spark RAT and LESLIELOADER. The group has also used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.

Open in new tab