Full Report
Threat actors with suspected ties to China have turned a legitimate open-source monitoring tool called Nezha into an attack weapon, using it to deliver a known malware called Gh0st RAT to targets. The activity, observed by cybersecurity company Huntress in August 2025, is characterized by the use of an unusual technique called log poisoning (aka log injection) to plant a web shell on a web
Analysis Summary
# Tool/Technique: Nezha (Weaponized Open-Source Tool)
## Overview
Nezha is an open-source operation and monitoring tool that has been weaponized by threat actors with suspected Chinese ties to serve as a command and control (C2) mechanism on compromised web servers, facilitating the deployment of further malware like Gh0st RAT.
## Technical Details
- Type: Tool (Weaponized Monitoring Tool)
- Platform: Web Servers (Implied use on compromised PHP-based systems)
- Capabilities: Remote command execution on a web server via its dashboard interface after initial deployment.
- First Seen: Activity observed starting at least in June 2025.
## MITRE ATT&CK Mapping
*The core functionality detailed points primarily to Command and Control (TA0011) and Execution (TA0002) tactics.*
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (Communication via Nezha dashboard)
- TA0002 - Execution
- T1059.002 - Command and Scripting Interpreter: PowerShell (Used for Defender exclusions and launching secondary payloads)
## Functionality
### Core Capabilities
- Remote command execution on compromised web servers via a dashboard interface.
- Used as a staged delivery mechanism after initial web shell compromise.
- Facilitates the execution of interactive PowerShell scripts on the target system.
### Advanced Features
- Used to deploy and run **Gh0st RAT** on infected hosts following the execution of scripts to configure AV exclusions.
- The threat actor was noted to be running their Nezha dashboard interface in Russian, despite suspected Chinese affiliations.
## Indicators of Compromise
- File Hashes: N/A (Tool is open-source, specific deployed files depend on configuration)
- File Names: Nezha agent (deployed payload)
- Registry Keys: N/A
- Network Indicators: C2 Server: `c[.]mid[.]al` (Used by the deployed Nezha agent)
- Behavioral Indicators:
- Exploitation of publicly exposed and vulnerable phpMyAdmin panels.
- Log poisoning/injection technique to plant a PHP web shell into a legitimate log file by setting the log file name to a `.php` extension.
- Use of **ANTSWORD** web shell for initial command execution ("whoami") before deploying Nezha.
- Creating Microsoft Defender Antivirus exclusions via PowerShell scripts.
## Associated Threat Actors
- Threat actors with suspected ties to China.
## Detection Methods
- Signature-based detection: N/A for the open-source tool itself, but signatures for Gh0st RAT payloads are relevant.
- Behavioral detection: Monitoring for the sequence of SQL injection -> log file modification -> execution of an unknown PHP script, especially when followed by unusual process execution (PowerShell creating AV exclusions).
- YARA rules: N/A
## Mitigation Strategies
- Patch and secure publicly exposed administrative interfaces, especially phpMyAdmin panels.
- Harden web servers against SQL injection vulnerabilities.
- Enable strict application control to prevent the execution of web shells or unexpected PHP files.
- Monitor for unusual database activity, such as mass data manipulation or high volumes of log file interactions.
- Regularly review Microsoft Defender Antivirus exclusion lists for unauthorized entries.
## Related Tools/Techniques
- **Gh0st RAT:** Subsequent malware deployed by the actor after Nezha compromise.
- **ANTSWORD:** Used in the initial post-exploitation phase to run commands and deploy Nezha.
- **Log Poisoning/Injection:** The specific technique used to stage the initial web shell execution ($\text{T1505.00x}$ family, though not a direct T-number mapping for this specific web shell technique).