Nezha Agent Used in Web Application Intrusions
Summary
Hide ▲
Show ▼
A cyber campaign targeting web applications has been ongoing since August 2025, using the open-source tool Nezha. The campaign exploits vulnerabilities in web applications to implant PHP web shells, which are managed using AntSword. The attackers use Nezha to execute PowerShell commands, disable Windows Defender, and deploy Ghost RAT malware. The campaign has primarily affected systems in East Asia, with additional infections worldwide. The attackers gained access through exposed phpMyAdmin panels, using SQL commands to plant a backdoor. They then used Nezha to execute PowerShell commands that disabled Windows Defender and deployed additional malware. The campaign highlights the need for robust patching and monitoring of public-facing applications. The attacker is believed to be a China-nexus threat actor, and the campaign has affected over 100 organizations on six continents. The Nezha dashboard was observed running in Russian, and the attackers used log poisoning to plant a web shell on the web server. The attackers set the language to simplified Chinese after gaining initial access and used a loader to execute Gh0st RAT, which was configured and started by a dropper.
Timeline
-
08.10.2025 16:00 3 articles · 2h ago
Nezha Agent Deployed in Web Application Intrusions
The cyber campaign began in August 2025, targeting web applications using the Nezha agent. The attackers exploited vulnerabilities in phpMyAdmin panels to plant a PHP web shell, which was managed using AntSword. The Nezha agent was then deployed to execute PowerShell commands, disable Windows Defender, and deploy Ghost RAT malware. The campaign has affected over 100 organizations across six continents, primarily in East Asia. The attacker is believed to be a China-nexus threat actor. The Nezha dashboard was observed running in Russian, and the attackers used log poisoning to plant a web shell on the web server. The attackers set the language to simplified Chinese after gaining initial access and used a loader to execute Gh0st RAT, which was configured and started by a dropper.
Show sources
- Nezha Tool Used in New Cyber Campaign Targeting Web Applications — www.infosecurity-magazine.com — 08.10.2025 16:00
- China-Nexus Actors Weaponize 'Nezha' Open Source Tool — www.darkreading.com — 08.10.2025 17:02
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
Information Snippets
-
The campaign began in August 2025 and targeted vulnerable web applications.
First reported: 08.10.2025 16:003 sources, 3 articlesShow sources
- Nezha Tool Used in New Cyber Campaign Targeting Web Applications — www.infosecurity-magazine.com — 08.10.2025 16:00
- China-Nexus Actors Weaponize 'Nezha' Open Source Tool — www.darkreading.com — 08.10.2025 17:02
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
Attackers used a phpMyAdmin panel exposed to the internet to gain initial access.
First reported: 08.10.2025 16:003 sources, 3 articlesShow sources
- Nezha Tool Used in New Cyber Campaign Targeting Web Applications — www.infosecurity-magazine.com — 08.10.2025 16:00
- China-Nexus Actors Weaponize 'Nezha' Open Source Tool — www.darkreading.com — 08.10.2025 17:02
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
SQL commands were used to enable the general query log in MariaDB and plant a PHP backdoor.
First reported: 08.10.2025 16:003 sources, 3 articlesShow sources
- Nezha Tool Used in New Cyber Campaign Targeting Web Applications — www.infosecurity-magazine.com — 08.10.2025 16:00
- China-Nexus Actors Weaponize 'Nezha' Open Source Tool — www.darkreading.com — 08.10.2025 17:02
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
AntSword was used to control the compromised web server and deploy the Nezha agent.
First reported: 08.10.2025 16:003 sources, 3 articlesShow sources
- Nezha Tool Used in New Cyber Campaign Targeting Web Applications — www.infosecurity-magazine.com — 08.10.2025 16:00
- China-Nexus Actors Weaponize 'Nezha' Open Source Tool — www.darkreading.com — 08.10.2025 17:02
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
The Nezha agent connected to a command server at c.mid[.]al for remote monitoring and task execution.
First reported: 08.10.2025 16:002 sources, 2 articlesShow sources
- Nezha Tool Used in New Cyber Campaign Targeting Web Applications — www.infosecurity-magazine.com — 08.10.2025 16:00
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
Over 100 victim systems were communicating with the attacker’s Nezha dashboard.
First reported: 08.10.2025 16:002 sources, 2 articlesShow sources
- Nezha Tool Used in New Cyber Campaign Targeting Web Applications — www.infosecurity-magazine.com — 08.10.2025 16:00
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
Most affected machines were located in Taiwan, Japan, South Korea, and Hong Kong, with additional infections in the US, India, and Europe.
First reported: 08.10.2025 16:003 sources, 3 articlesShow sources
- Nezha Tool Used in New Cyber Campaign Targeting Web Applications — www.infosecurity-magazine.com — 08.10.2025 16:00
- China-Nexus Actors Weaponize 'Nezha' Open Source Tool — www.darkreading.com — 08.10.2025 17:02
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
The attackers used Nezha to execute PowerShell commands that disabled Windows Defender and deployed Ghost RAT.
First reported: 08.10.2025 16:003 sources, 3 articlesShow sources
- Nezha Tool Used in New Cyber Campaign Targeting Web Applications — www.infosecurity-magazine.com — 08.10.2025 16:00
- China-Nexus Actors Weaponize 'Nezha' Open Source Tool — www.darkreading.com — 08.10.2025 17:02
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
The malware established persistence under the name “SQLlite” and communicated with C2 domains registered through China-linked entities.
First reported: 08.10.2025 16:002 sources, 2 articlesShow sources
- Nezha Tool Used in New Cyber Campaign Targeting Web Applications — www.infosecurity-magazine.com — 08.10.2025 16:00
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
The Nezha agent was used to disable Windows Defender by creating a broad exclusion rule for the C: folder.
First reported: 08.10.2025 16:562 sources, 2 articlesShow sources
- China-Nexus Actors Weaponize 'Nezha' Open Source Tool — www.darkreading.com — 08.10.2025 17:02
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
The attacker used a log poisoning attack to plant a web shell.
First reported: 08.10.2025 16:562 sources, 2 articlesShow sources
- China-Nexus Actors Weaponize 'Nezha' Open Source Tool — www.darkreading.com — 08.10.2025 17:02
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
The attacker switched IP addresses after establishing the web shell, potentially handing off access to another threat actor.
First reported: 08.10.2025 17:021 source, 1 articleShow sources
- China-Nexus Actors Weaponize 'Nezha' Open Source Tool — www.darkreading.com — 08.10.2025 17:02
-
The campaign has affected over 100 organizations on six continents, including targets in Guatemala, Slovakia, and Tanzania.
First reported: 08.10.2025 16:562 sources, 2 articlesShow sources
- China-Nexus Actors Weaponize 'Nezha' Open Source Tool — www.darkreading.com — 08.10.2025 17:02
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
The attacker is believed to be a China-nexus threat actor.
First reported: 08.10.2025 16:562 sources, 2 articlesShow sources
- China-Nexus Actors Weaponize 'Nezha' Open Source Tool — www.darkreading.com — 08.10.2025 17:02
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
The attacker deployed an infostealer after compromising the web server.
First reported: 08.10.2025 16:562 sources, 2 articlesShow sources
- China-Nexus Actors Weaponize 'Nezha' Open Source Tool — www.darkreading.com — 08.10.2025 17:02
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
The attackers used log poisoning to plant a web shell on the web server.
First reported: 08.10.2025 16:561 source, 1 articleShow sources
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
The Nezha dashboard was observed running in Russian.
First reported: 08.10.2025 16:561 source, 1 articleShow sources
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
The attackers set the language to simplified Chinese after gaining initial access.
First reported: 08.10.2025 16:561 source, 1 articleShow sources
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
The Nezha agent was used to execute an interactive PowerShell script to create Microsoft Defender Antivirus exclusions.
First reported: 08.10.2025 16:561 source, 1 articleShow sources
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
-
The attackers used a loader to execute Gh0st RAT, which was configured and started by a dropper.
First reported: 08.10.2025 16:561 source, 1 articleShow sources
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
Similar Happenings
Exploitation of Ivanti EPMM Vulnerabilities (CVE-2025-4427, CVE-2025-4428) Leads to Malware Deployment
Two malware strains were discovered in an organization's network after attackers exploited two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, allow for authentication bypass and remote code execution, respectively. Attackers used these flaws to gain access to the EPMM server, execute arbitrary code, and maintain persistence. The attack began around May 15, 2025, following the publication of a proof-of-concept exploit. The malware sets include loaders that enable arbitrary code execution and data exfiltration. The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. A China-nexus espionage group was leveraging the vulnerabilities since at least May 15, 2025. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. Organizations are advised to update their EPMM instances, monitor for suspicious activity, and implement access restrictions to prevent unauthorized access to mobile device management systems.
TA558 Uses AI-Generated Scripts to Deliver Venom RAT in Brazil Hotel Attacks
TA558, tracked as RevengeHotels, has launched new attacks targeting hotels in Brazil and Spanish-speaking markets. The group uses AI-generated scripts to deploy Venom RAT via phishing emails. The campaign aims to capture credit card data from guests and travelers. The threat actor has been active since 2015, focusing on hospitality and travel sectors. They have historically used various RATs and custom malware to achieve their goals. The latest campaign involves phishing emails with Portuguese and Spanish lures, leading to the download of malicious scripts and payloads. Venom RAT, based on Quasar RAT, includes features like data exfiltration, reverse proxy, and anti-kill mechanisms. It spreads via USB drives and disables Microsoft Defender Antivirus.
Chinese Malware Campaigns Exploit SEO and GitHub Pages to Distribute HiddenGh0st, Winos, and kkRAT
Chinese-speaking users are targeted by a malware campaign using SEO poisoning and fake software sites to distribute HiddenGh0st, Winos, and kkRAT. The campaign manipulates search rankings and uses trojanized installers to deliver the malware. The attacks exploit vulnerabilities in popular software and use various techniques to evade detection and maintain persistence. The malware is designed to establish command-and-control communication, monitor user activity, and steal sensitive information. The campaign was discovered in August 2025 and involves multiple malware families, including HiddenGh0st and Winos, which are variants of Gh0st RAT. The attacks use fake software sites and GitHub Pages to distribute the malware, exploiting the trust associated with legitimate platforms. The malware employs sophisticated techniques to evade detection and maintain persistence, including anti-analysis checks and TypeLib COM hijacking.
Chinese State-Sponsored Actors Target Global Critical Infrastructure
Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group and a newly identified group named RedNovember, have been conducting sustained campaigns to compromise critical infrastructure networks worldwide. The campaigns aim to gain long-term access to telecommunications, government, transportation, lodging, and military networks. This activity has been detailed in a joint advisory by CISA, NSA, FBI, and international partners, including Canada, Australia, New Zealand, the UK, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain. The advisory provides intelligence on tactics used by these actors and recommends mitigations to strengthen defenses. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning instructing critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China. The agency has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level. The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests. The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO. The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The threat actors have exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access and have modified routers to maintain persistent access and pivot into other networks. The advisory also notes that the APT actors may target other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc. RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms. The group has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions, along with the Spark RAT and LESLIELOADER. The group has also used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.
Russian Hackers Exploit Old Cisco Vulnerability to Target U.S. Critical Infrastructure
Russian hackers, tracked as Static Tundra and associated with the FSB's Center 16 or Military Unit 71330, have been exploiting a seven-year-old vulnerability (CVE-2018-0171) in unpatched end-of-life Cisco networking devices to target enterprise and critical infrastructure networks in the U.S. and abroad. The attacks, ongoing since at least August 2024, have compromised thousands of devices, allowing the attackers to collect configuration files, change settings, and gain unauthorized access. The U.S. Department of State is offering a reward of up to $10 million for information on three FSB officers involved in these cyberattacks. The targets include organizations in the manufacturing, telecommunications, higher education, and energy sectors. The attackers use stolen SNMP credentials to control compromised devices, enabling them to run commands, change settings, and steal configurations while evading detection. They also create new local user accounts and enable remote access services like Telnet to maintain access. The attacks highlight the persistent threat of unpatched vulnerabilities and the need for robust cybersecurity measures to protect critical infrastructure. The three FSB officers, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, targeted more than 380 foreign energy-sector companies in 135 countries. The suspects targeted American and foreign oil and gas firms, nuclear power plants, renewable energy firms, utility and electrical grid entities, consulting and engineering groups, and advanced technology companies. In August 2021, these officers were indicted in the US with charges of computer fraud and abuse, wire fraud, and aggravated identity theft. The Dragonfly campaign involved obtaining persistent access to victim networks and infecting them with the Havex malware through supply chain compromise. In the second phase, known as Dragonfly 2.0, the three allegedly targeted over 3,300 users at more than 500 US and international companies and entities, including US government agencies, in spear-phishing attacks.