China-Linked Hackers Weaponize Nezha Monitoring Tool and Log Poisoning to Deploy Gh0st RAT on 100+ Systems

In August 2025, researchers from Huntress observed a cyberattack involving the abuse of the legitimate server-monitoring tool Nezha, which was originally designed for system performance tracking. During the campaign, threat actors — allegedly linked to China — repurposed Nezha as a remote administration and malware delivery platform for deploying the notorious Gh0st RAT.

The attack began after the perpetrators compromised a web server using a method known as log poisoning — a technique that allows attackers to implant a web shell by writing malicious code into a log file and then renaming it as a PHP script, executable through a simple HTTP request.

Initial access was gained through an exposed and vulnerable phpMyAdmin panel. Once inside, the intruders switched the interface language to Simplified Chinese and executed a series of SQL queries to enable logging, after which they injected their malicious script.

Through the ANTSWORD web shell, the attackers confirmed their privilege level using the whoami command and proceeded to install the Nezha agent, which established a connection to an external command-and-control server. Subsequent actions included executing a PowerShell script that disabled Microsoft Defender and activated the Gh0st RAT loader — a remote access trojan frequently employed by Chinese cybercriminal groups.

Although the primary targets were located in Taiwan, Japan, South Korea, and Hong Kong, victims were also identified in over 20 other countries, including Singapore, India, the United Kingdom, the United States, France, and Australia. At least 100 confirmed infections were recorded during the investigation.

The Huntress team believes that additional intrusion vectors were likely exploited, as some compromised systems showed no evidence of phpMyAdmin usage. This assumption is supported by metadata from the deployed Nezha agents, discovered within infrastructures where such tools are typically absent. Based on timestamps of command-and-control connections, researchers suspect the campaign may have begun as early as June 2025, or even earlier.

This operation vividly illustrates how threat actors are increasingly weaponizing legitimate open-source tools for malicious purposes. Leveraging existing software not only reduces the cost of malware development, but also complicates attribution and lowers detection rates by defensive systems. The incident underscores the importance of vigilance toward public utilities — even those originally designed with entirely benign intentions.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy