216.73.216.170

The Crown Prince, Nezha

· Published 03/07/2026 23:26

Export JSON

Essential information

Published
03/07/2026 23:26
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
antsword china chopper china-nexus gh0st rat ghost rat log poisoning nezha phpmyadmin web compromise web shell
Related entities
9 indicators, 5 observables, 20 techniques (mitre), 6 malware

Description

Beginning in August 2025, a sophisticated intrusion was discovered where attackers used techniques to deploy a on vulnerable panels. The threat actors exploited misconfigured web applications to plant web shells, controlled via , before deploying , an open-source monitoring tool, to facilitate remote command execution. This led to the deployment of on compromised systems. Analysis revealed over 100 compromised machines, predominantly located in Taiwan, Japan, South Korea, and Hong Kong. The attackers demonstrated technical proficiency through multi-stage operations, utilizing AWS and VPS infrastructure, with indicators pointing to threat actors. The campaign highlights increasing abuse of legitimate publicly available tools to achieve malicious objectives while maintaining plausible deniability.

External references