The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors
Essential information
- Published
- 09/10/2025 16:38
- Modified
- 09/10/2025 17:02
- Tags
- 2025-10-09 antsword china chopper ghost rat log poisoning nezha remote access trojan server monitoring web shell
- Related entities
- 11 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware, 3 others
Description
A sophisticated cyber intrusion campaign utilizing log poisoning and a new tool called Nezha has been uncovered. The attackers exploited a vulnerable phpMyAdmin interface to deploy a web shell, followed by the installation of Nezha, an open-source server monitoring tool repurposed for malicious activities. The campaign targeted over 100 victims, primarily in Taiwan, Japan, South Korea, and Hong Kong. The threat actors also deployed Ghost RAT, a remote access trojan, for further system compromise. The attack methodology and victimology suggest a China-nexus threat actor, highlighting the need for improved security measures and vigilance against emerging threats.