Suspected China-linked Nezha-to-Gh0st RAT campaign
Campaign
Summary
Hide ▲
Show ▼
A China-linked intrusion campaign abused Nezha to deliver Gh0st RAT, giving the operators remote control over more than 100 victim machines across multiple countries. The activity was observed in August 2025 and used a multi-step chain that began with exposed web infrastructure. The scale and repeatable delivery flow make the operation a broad campaign, not a one-off compromise.
Related Happenings
Glassworm botnet command-and-control disruption
Malware Activity
First: 27.05.2026 17:00
Last: 27.05.2026 17:00
Sources 1
About this happening:
The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...
Glassworm botnet command-and-control disruption
Malware ActivityAbout this happening: The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...
Webworm multi-country targeting campaign against government and enterprise victims
Campaign
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm multi-country targeting campaign against government and enterprise victims
CampaignAbout this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm expanded European government and South Africa university espionage campaign
Campaign
First: 20.05.2026 14:30
Last: 20.05.2026 14:30
Sources 1
About this happening:
Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Webworm expanded European government and South Africa university espionage campaign
CampaignAbout this happening: Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
FamousSparrow Azerbaijanian oil-and-gas targeting campaign
Campaign
First: 13.05.2026 16:00
Last: 13.05.2026 16:00
Sources 1
About this happening:
The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...
FamousSparrow Azerbaijanian oil-and-gas targeting campaign
CampaignAbout this happening: The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation Wave
First: 20.02.2026 23:07
Last: 20.02.2026 23:07
Sources 1
About this happening:
**CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation WaveAbout this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
Timeline
-
08.10.2025 16:56 2 articles · 7mo ago
Suspected China-linked Nezha-to-Gh0st RAT campaign
Initial DisclosureThe intrusion began with **log poisoning** against a **vulnerable phpMyAdmin panel**, which let the operators drop a **web shell**. That foothold enabled server control through **ANTSWORD** before the wider malware chain was deployed.
Show sources
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56
- Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave — thehackernews.com — 08.10.2025 16:56