Threat actors with suspected Chinese links have turned the open source monitoring tool Nezha into a weapon, using it to compromise over 100 systems worldwide and deliver Gh0st RAT.
Threat actors with suspected ties to China have weaponised the legitimate open‑source monitoring tool Nezha to deliver Gh0st RAT, turning a benign OSS project into a potent attack platform. The campaign, observed by cybersecurity company Huntress in August 2025, reportedly compromised over 100 machines, with the highest concentration of infections in Taiwan, Japan, South Korea, and Hong Kong, and additional victims across Singapore, Malaysia, India, the U.K., the U.S., Colombia, Laos, Thailand, Australia, Indonesia, France, Canada, Argentina, Sri Lanka, the Philippines, Ireland, Kenya, and Macao.
Attackers initially exploited a publicly exposed, vulnerable phpMyAdmin panel to gain access. They used an unusual log poisoning technique, writing a one‑liner PHP web shell into server logs and naming the file with a .php extension for direct execution. Huntress explained: “They then issued a query containing their one-liner PHP web shell, causing it to be recorded in the log file. Crucially, they set the log file’s name with a .php extension, allowing it to be executed directly by sending POST requests to the server.”
The threat actors deployed an ANTSWORD web shell to check privileges and then delivered the Nezha agent, which connected to an external server (c.mid[.]al) and executed PowerShell scripts to bypass Microsoft Defender and launch Gh0st RAT. Huntress described the attackers as a “technically proficient adversary,” noting their Nezha dashboard ran in Russian while the server language was simplified Chinese.
Researchers Jai Minton, James Northey, and Alden Schmidt warned: “This activity highlights how attackers are increasingly abusing new and emerging publicly available tooling… While publicly available tooling can be used legitimately, it is also commonly abused due to low research cost and plausible deniability.”
The campaign underscores the dual‑use risk of open source tools, demonstrating the need for security teams to monitor OSS projects as potential attack vectors, not just bespoke malware.
