Nezha Tool Used in New Cyber Campaign Targeting Web Applications

Description

A sophisticated cyber campaign utilizing the open-source Nezha tool has been discovered targeting vulnerable web applications since August 2025. Attackers gained access through an exposed phpMyAdmin panel, employing creative log poisoning techniques to implant a PHP web shell. The intrusion involved the use of AntSword for server control, followed by the installation of Nezha agent and Ghost RAT malware. This marks the first public report of Nezha being used for web server compromises. The campaign, linked to China-based infrastructure, affected over 100 systems, primarily in Taiwan, Japan, South Korea, and Hong Kong. Attackers used Nezha to disable Windows Defender and deploy Ghost RAT, establishing persistence under the name 'SQLlite'. Recommendations include patching public-facing applications, implementing authentication, and improving detection for post-exploitation activities.