Threat actors believed to be linked to China are misusing a legit open-source tool called Nezha to launch cyberattacks. The monitirong tool is now being used to deliver a dangerous malware known as Gh0st RAT, which allows attackers to take control of infected computers.
The activity was spotted in August 2025 by cybersecurity company Huntress. The attackers first broke into systems by taking advantage of publicly exposed and vulnerable phpMyAdmin panels, a tool used to manage databases. After gaining access, they switched the language settings to simplified Chinese and ran a series of commands that allowed them to plant a hidden backdoor on the server using a trick called log poisoning.
The method involved changing the system settings so that certain commands were written into a log file with a .php extension. Because of that, the log file could be run like a normal program, giving the hackers control of the server through a tool called Antsword.
The attackers then installed the Nezha monitoring agent on the compromised server. Though Nezha is usually used for system operations, the hackers used it to run more commands on the infected machines by connecting them to a server located at c.mid[.]al.
The attackers launched a PowerShell script that turned off some antivirus protections and then ran Gh0st RAT, a well-known malware used by Chinese hacker groups. The malware was hidden in a multi-step process that used a loader and dropper to install the main payload.
Most of the infections were found in Taiwan, Japan, South Korea, and Hong Kong, but victims were also seen in countries like the United States, United Kingdom, India, Singapore, Australia, and Canada. Interestingly, the attackers were running their Nezha dashboard in Russian, even though signs point to a Chinese-speaking group.
