The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors

Oct. 9, 2025, 5:02 p.m.

Description

A sophisticated cyber intrusion campaign utilizing log poisoning and a new tool called Nezha has been uncovered. The attackers exploited a vulnerable phpMyAdmin interface to deploy a web shell, followed by the installation of Nezha, an open-source server monitoring tool repurposed for malicious activities. The campaign targeted over 100 victims, primarily in Taiwan, Japan, South Korea, and Hong Kong. The threat actors also deployed Ghost RAT, a remote access trojan, for further system compromise. The attack methodology and victimology suggest a China-nexus threat actor, highlighting the need for improved security measures and vigilance against emerging threats.

External References

https://www.huntress.com/blog/nezha-china-nexus-threat-actor-tool
https://otx.alienvault.com/pulse/68e7e51909bb02e0f22bfc5a
Tags
china chopper
web shell
remote access trojan
antsword
ghost rat
log poisoning
nezha
2025-10-09
server monitoring

Date

  • Created: Oct. 9, 2025, 4:38 p.m.
  • Published: Oct. 9, 2025, 4:38 p.m.
  • Modified: Oct. 9, 2025, 5:02 p.m.

Indicators

  • f3570bb6e0f9c695d48f89f043380b43831dd0f6fe79b16eda2a3ffd9fd7ad16
  • 9f33095a24471bed55ce11803e4ebbed5118bfb5d3861baf1c8214efcd9e7de6
  • 82611e60a2c5de23a1b976bb3b9a32c4427cb60a002e4c27cadfa84031d87999
  • 35e0b22139fb27d2c9721aedf5770d893423bf029e1f56be92485ff8fce210f3
  • 7b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958
  • 38.246.250.201
  • 172.245.52.169
  • 45.207.220.12
  • host.404111.xyz
  • c.mid.al
  • gd.bj2.xyz
Download all indicators here!

Attack Patterns

  • Nezha
  • Ghost RAT
  • China-nexus threat actors

Additional Informations

  • Hong Kong
  • Taiwan
  • Japan