Nezha Tool Used in New Cyber Campaign Targeting Web Applications
Essential information
- Published
- 08/10/2025 15:25
- Modified
- 08/10/2025 16:39
- Tags
- 2025-10-08 antsword china-linked ghost rat log poisoning mariadb nezha phpmyadmin web applications
- Related entities
- 6 techniques (mitre), 2 malware, 6 others
Description
A sophisticated cyber campaign utilizing the open-source Nezha tool has been discovered targeting vulnerable web applications since August 2025. Attackers gained access through an exposed phpMyAdmin panel, employing creative log poisoning techniques to implant a PHP web shell. The intrusion involved the use of AntSword for server control, followed by the installation of Nezha agent and Ghost RAT malware. This marks the first public report of Nezha being used for web server compromises. The campaign, linked to China-based infrastructure, affected over 100 systems, primarily in Taiwan, Japan, South Korea, and Hong Kong. Attackers used Nezha to disable Windows Defender and deploy Ghost RAT, establishing persistence under the name 'SQLlite'. Recommendations include patching public-facing applications, implementing authentication, and improving detection for post-exploitation activities.