Nezha Tool Used in New Cyber Campaign Targeting Web Applications

SUMMARY :

A sophisticated cyber campaign utilizing the open-source Nezha tool has been discovered targeting vulnerable web applications since August 2025. Attackers gained access through an exposed phpMyAdmin panel, employing creative log poisoning techniques to implant a PHP web shell. The intrusion involved the use of AntSword for server control, followed by the installation of Nezha agent and Ghost RAT malware. This marks the first public report of Nezha being used for web server compromises. The campaign, linked to China-based infrastructure, affected over 100 systems, primarily in Taiwan, Japan, South Korea, and Hong Kong. Attackers used Nezha to disable Windows Defender and deploy Ghost RAT, establishing persistence under the name 'SQLlite'. Recommendations include patching public-facing applications, implementing authentication, and improving detection for post-exploitation activities.

OPENCTI LABELS :

antsword,ghost rat,phpmyadmin,log poisoning,nezha,mariadb,china-linked,web applications


AI COMMENTARY :

1. Introduction to the Nezha Cyber Campaign The security community has identified a sophisticated threat targeting web applications that began in August 2025. Attackers exploited an exposed phpMyAdmin interface on vulnerable servers to gain initial access. This campaign represents the first public report of the open-source Nezha tool being leveraged in large-scale web server compromises. Through creative log poisoning methods, the actors injected a PHP web shell into compromised deployments, setting the stage for deeper intrusion and control of affected hosts.

2. Initial Compromise via phpMyAdmin Exposure Attackers discovered publicly accessible phpMyAdmin instances fronting MariaDB databases that lacked proper authentication and patch management. By corrupting log files through SQL-injected requests, they were able to plant a PHP backdoor that granted remote code execution. This log poisoning tactic bypassed standard file monitoring, enabling the threat actors to quietly establish a foothold within the web application environment.

3. Weaponization with AntSword, Nezha, and Ghost RAT After deploying the PHP web shell, the intruders used AntSword to interactively browse server file systems, upload additional tools, and execute commands. The next phase involved installing a Nezha agent, configured to communicate with a China-linked command and control infrastructure. Once Nezha was in place, the attackers disabled Windows Defender and system event logging. Finally, Ghost RAT was deployed under the masquerade of a benign service named SQLlite to achieve persistence and facilitate data exfiltration.

4. Geographical Reach and China-Linked Infrastructure Analysis Over 100 systems in Taiwan, Japan, South Korea, and Hong Kong were compromised in this campaign, all communicating with servers traced back to a China-linked hosting environment. The clustering of victims in East Asia suggests a targeted focus on critical web applications in the region. Network traffic and malware artifacts point to a centralized C2 framework orchestrating Nezha and Ghost RAT operations, underscoring a high level of planning and resource allocation by the threat group.

5. Post-Exploitation Tactics and Persistence Mechanisms The adversaries leveraged Nezha’s powerful remote administration capabilities to disable endpoint defenses and disable audit trails. By renaming the Ghost RAT binary to resemble a SQLite service and registering it as a persistent Windows service, they ensured automatic restarts after system reboots. This multi-stage approach, from log poisoning to the deployment of dual-purpose agents, highlights the group’s advanced understanding of both web application vulnerabilities and post-exploitation frameworks.

6. Strategic Recommendations for Defense To counter similar intrusions, organizations should prioritize patching public-facing applications and securing database management tools such as phpMyAdmin. Implementing strong authentication controls, including multi-factor authentication, will mitigate unauthorized access. Security teams should also enhance detection capabilities for memory-resident agents and monitor for suspicious service creation names like SQLlite. Regular integrity checks of web server logs can uncover signs of log poisoning before threat actors establish full control.

7. Conclusion The emergence of Nezha in a web application compromise underscores the evolving threat landscape where open-source tools are repurposed for high-impact attacks. By combining log poisoning, AntSword orchestration, and Ghost RAT persistence, this campaign illustrates the need for comprehensive threat intelligence and proactive defense measures. Vigilance in patch management, authentication hardening, and post-exploitation detection remains critical to thwarting future campaigns of this nature.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Nezha Tool Used in New Cyber Campaign Targeting Web Applications