216.73.216.86

Nezha Tool Used in New Cyber Campaign Targeting Web Applications

· Published 08/10/2025 15:25 · Modified 08/10/2025 16:39

Export JSON

Essential information

Published
08/10/2025 15:25
Modified
08/10/2025 16:39
Tags
2025-10-08 antsword china-linked ghost rat log poisoning mariadb nezha phpmyadmin web applications
Related entities
6 techniques (mitre), 2 malware, 6 others

Description

A sophisticated cyber campaign utilizing the open-source tool has been discovered targeting vulnerable since August 2025. Attackers gained access through an exposed panel, employing creative techniques to implant a PHP web shell. The intrusion involved the use of for server control, followed by the installation of agent and malware. This marks the first public report of being used for web server compromises. The campaign, linked to China-based infrastructure, affected over 100 systems, primarily in Taiwan, Japan, South Korea, and Hong Kong. Attackers used to disable Windows Defender and deploy , establishing persistence under the name 'SQLlite'. Recommendations include patching public-facing applications, implementing authentication, and improving detection for post-exploitation activities.

External references