Security researchers have uncovered a sophisticated attack campaign where China-nexus threat actors exploited Nezha—a legitimate open-source server monitoring tool with nearly 10,000 GitHub stars—to compromise over 100 organisations, primarily in Taiwan, Japan, South Korea, and Hong Kong.
Cybersecurity firm Huntress discovered the intrusion chain in August 2025, marking the first public documentation of Nezha being weaponised for web compromises.
The attackers demonstrated advanced technical proficiency by using a creative technique called log poisoning to plant web shells on vulnerable phpMyAdmin installations before deploying the monitoring tool for persistent access.
Nezha has been starred nearly 10,000 times on GitHub and is actively utilised primarily by Chinese but also international users for legitimate server monitoring purposes. However, threat actors exploited its benign reputation and remote command execution capabilities to gain persistent access to victim networks.
The attack began with threat actors exploiting misconfigured phpMyAdmin panels that lacked proper authentication. Using log poisoning, attackers manipulated database logs to embed a PHP web shell—commonly known as China Chopper—which they then controlled using AntSword, a popular post-exploitation framework.
"This activity highlights how attackers are increasingly abusing new and emerging publicly available tooling as it becomes available to achieve their goals," the Huntress researchers noted. The use of legitimate tools provides plausible deniability compared to custom malware and often evades security products.
After establishing initial access, attackers deployed Nezha, an open-source server monitoring tool, to maintain persistent control. The Nezha agent connected back to attacker-controlled infrastructure, providing real-time system health information and command execution capabilities across victim networks.
Geographic Targeting Reveals Geopolitical Motives
Analysis of the compromised systems revealed a clear geographic focus: Taiwan accounted for 22 victims, Japan 16, South Korea 10, and Hong Kong 8. Notably, only one system was located in Mainland China. This distribution aligns with ongoing geopolitical tensions in the East China Sea and disputes between Hong Kong and Mainland China.
The attackers ultimately deployed Ghost RAT (also known as Gh0st RAT) malware on compromised systems, establishing multiple layers of persistence through Windows services disguised as legitimate SQLite processes.
The malware communicated with infrastructure previously linked to Chinese APT activities, including a variant matching protocols described in recent Zscaler research on Chinese APT groups targeting Tibetan communities.
Protecting Against Multi-Stage Attacks
Organisations can defend against similar attacks by ensuring all public-facing applications require authentication, applying security patches promptly, and monitoring for suspicious behaviours, including unexpected service creation and executables running from unusual directories like Windows\Cursors.
The incident serves as a stark reminder that even test environments require production-level security hardening, as misconfigurations can provide sophisticated adversaries with initial footholds into corporate networks.