Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave

Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave

Briefly

"Threat actors with suspected ties to China have turned a legitimate open-source monitoring tool called into an attack weapon, using it to deliver a known malware called Gh0st RAT to targets. The activity, observed by cybersecurity company Huntress in August 2025, is characterized by the use of an unusual technique called log poisoning (aka log injection) to plant a web shell on a web server. "This allowed the threat actor to control the web server using ANTSWORD, before ultimately deploying Nezha, an operation and monitoring tool that allows commands to be run on a web server," researchers Jai Minton, James Northey, and Alden Schmidt said in a report shared with The Hacker News."

"The attack chain pieced together by Huntress shows that the attackers, described as a "technically proficient adversary," leveraged a publicly exposed and vulnerable phpMyAdmin panel to obtain initial access, and then set the language to simplified Chinese. The threat actors have been subsequently found to access the server SQL query interface and run various SQL commands in quick succession in order to drop a PHP web shell in a directory accessible over the internet after ensuring that the queries are logged to disk by enabling general query logging. "They then issued a query containing their one-liner PHP web shell, causing it to be recorded in the log file," Huntress explained. "Crucially, they set the log file's name with a .php extension, allowing it to be executed directly by sending POST requests to the server.""