The Crown Prince, Nezha
Essential information
- Published
- 03/07/2026 23:26
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- antsword china chopper china-nexus gh0st rat ghost rat log poisoning nezha phpmyadmin web compromise web shell
- Related entities
- 9 indicators, 5 observables, 20 techniques (mitre), 6 malware
Description
Beginning in August 2025, a sophisticated intrusion was discovered where attackers used log poisoning techniques to deploy a web shell on vulnerable phpMyAdmin panels. The threat actors exploited misconfigured web applications to plant China Chopper web shells, controlled via AntSword, before deploying Nezha, an open-source monitoring tool, to facilitate remote command execution. This led to the deployment of Ghost RAT on compromised systems. Analysis revealed over 100 compromised machines, predominantly located in Taiwan, Japan, South Korea, and Hong Kong. The attackers demonstrated technical proficiency through multi-stage operations, utilizing AWS and VPS infrastructure, with indicators pointing to China-nexus threat actors. The campaign highlights increasing abuse of legitimate publicly available tools to achieve malicious objectives while maintaining plausible deniability.