China-affiliated hackers have quietly turned a once-benign open-source network monitoring tool into a remote access beacon.
According to new findings from cybersecurity firm Huntress, the attackers used log poisoning and a web shell to install Nezha, a legitimate remote monitoring/management tool (RMM), as a foothold to deploy Ghost RAT for deeper persistence.
“To our knowledge, this is the first public reporting of Nezha being used to facilitate web compromises,” Huntress researchers Jai Minton, James Northey, and Alden Schmidt, said in a blog post shared with CSO ahead of its publication on Wednesday. “Analysis of the intrusion revealed the threat actor had likely compromised more than 100 victim machines.”
The campaign, first detected in August 2025, primarily targeted victims from Taiwan, Japan, South Korea, and Hong Kong.
Sneaking in through log poisoning
The adversary’s entry began through an exposed “phpMyAdmin” interface that lacked authentication. A DNS change months earlier had inadvertently made it publicly accessible, the researchers added. Once inside, they switched the interface language to Simplified Chinese and immediately began issuing SQL commands via the query interface.
They then abused MariaDB’s general query logging, reconfiguring it to write logs into a .php file within the web directory. In effect, they turned the log file itself into a web shell: SQL queries containing PHP code were recorded and then executed when accessed via HTTP POST. The PHP code reflected a basic evaluation web shell, commonly referred to as the China Chopper web shell.
This “Log Poisoning” technique allowed the attackers to hide the backdoor among normal traffic. After validating the shell, they switched to a different IP address, likely to compartmentalize their operations, and moved to issue commands via AntSword’s virtual terminal.
AntSword is an open-source Chinese web shell management framework (essentially a graphical control panel) for hackers to manage compromised web servers. In this case, it worked as a command station to interact with the planted backdoor China Chopper.
Riding Nezha to Ghost RAT
With the web shell in place, the attackers used AntSword to download two components: “live.exe” (the Nezha agent) and a “config.yml” that pointed to the attacker-controlled domain. The Nezha agent connected back to a management server whose dashboard was running in Russian, presumably to throw off attribution.
Once Nezha was active, the attackers ran an interactive PowerShell session to create Windows Defender exclusions on key system folders. This allowed them to drop and run a Ghost RAT variant from “C:\Windows\Cursors”. The RAT executable also installed a persistence mechanism and used a domain generation algorithm (DGA) for command & control (C2).
Huntress’ analysis showed the Ghost RAT implant had a multi-stage loader, dynamic API resolution, and command blocks consistent with China-nexus APT activities. The team was able to contain the August 2025 incident before attackers could cause significant damage.
“Fortunately, Huntress was able to isolate the system and remediate the incident by removing the web shell, Nezha agent, and malware before the attacker could carry out any further objectives,” the researchers added. Huntress published a set of indicators of compromise (IOCs) tied to the intrusion, including the file name and path for the web shell, Nezha agent, and the Ghost RAT Payload. This incident fits a broader 2025 pattern of threat actors abusing legitimate admin and monitoring tools for persistence on networks.
Earlier this year, Symantec (Broadcom) reported Fog ransomware operators using employee monitoring software Syteca alongside other open-source pen-testing tools like GC2 and Adaptix. Last month, researchers also flagged a red-teaming tool, “Villager,” from a shadowy Chinese firm that they said was ripe for hackers to abuse.
