Nezha post-exploitation remote access campaign
Campaign
Summary
Hide ▲
Show ▼
Attackers are abusing Nezha as a post-exploitation remote access tool, giving compromised hosts full command control and increasing the risk of persistence and lateral movement. The activity spans Windows and Linux environments and can expose SYSTEM/root-level access without requiring exploitation. Because the agent stays quiet until operators issue commands, signature-based detection is likely to miss it. A review of the linked dashboard suggested hundreds of endpoints could have been connected.
Related Happenings
Suspected China-linked Nezha-to-Gh0st RAT campaign
Campaign
First: 08.10.2025 16:56
Last: 08.10.2025 16:56
Sources 1
About this happening:
A **China-linked** intrusion campaign abused **Nezha** to deliver **Gh0st RAT**, giving the operators remote control over **more than 100 victim machines** across multiple countri...
Suspected China-linked Nezha-to-Gh0st RAT campaign
CampaignAbout this happening: A **China-linked** intrusion campaign abused **Nezha** to deliver **Gh0st RAT**, giving the operators remote control over **more than 100 victim machines** across multiple countri...
Nezha agent and Ghost RAT malware activity on compromised web servers
Malware Activity
First: 08.10.2025 16:00
Last: 08.10.2025 16:00
Sources 1
About this happening:
**Nezha** and **Ghost RAT** were installed on compromised web servers, giving attackers remote monitoring, task execution, and persistence. The malware chain mattered because it a...
Nezha agent and Ghost RAT malware activity on compromised web servers
Malware ActivityAbout this happening: **Nezha** and **Ghost RAT** were installed on compromised web servers, giving attackers remote monitoring, task execution, and persistence. The malware chain mattered because it a...
Timeline
-
22.12.2025 16:30 2 articles · 5mo ago
Ontinue reports Nezha post-exploitation access
Technical Analysis UpdateOntinue’s Cyber Defense Center identified attackers abusing Nezha, a legitimate open-source server monitoring tool, as a post-exploitation remote access platform against compromised Windows and Linux systems. The agent can provide SYSTEM/root-level access by design without exploitation or privilege escalation, support command execution, file transfers, and interactive terminal sessions, and stay hidden until operators begin issuing commands; a review of the exposed dashboard suggested hundreds of endpoints may have been connected.
Show sources
- Monitoring Tool Nezha Abused For Stealthy Post-Exploitation Access — www.infosecurity-magazine.com — 22.12.2025 16:30
- Monitoring Tool Nezha Abused For Stealthy Post-Exploitation Access — www.infosecurity-magazine.com — 22.12.2025 16:30