Hackers linked to China have quietly turned a benign open-source network monitoring tool into a remote access beacon.
According to new findings from cybersecurity firm Huntress, attackers used log poisoning and a web shell to install Nezha, a legitimate remote monitoring/management tool (RMM), to deploy Ghost RAT for deep persistence.
βTo our knowledge, this is the first public reporting of Neza being used to facilitate a web compromise,β Huntress researchers Jay Minton, James Northey and Alden Schmidt said in a blog post shared with CSO ahead of its publication on Wednesday. “Analysis of the intrusion revealed that the threat actor potentially compromised over 100 victim machines.”
The campaign, first detected in August 2025, primarily targeted victims in Taiwan, Japan, South Korea, and Hong Kong.
Log poisoning
The adversary’s entry began through an exposed “phpMyAdmin” interface that lacked authentication. Researchers say a DNS change made months ago inadvertently made it publicly accessible coupleOnce inside, he changed the interface language to Simplified Chinese and immediately began issuing SQL commands through the query interface.
They then abused MariaDB’s general query logging, reconfiguring it to write logs to a .php file within the web directory. In fact, they turned the log file itself into a web shell: SQL queries containing PHP code were recorded and then executed when accessed via HTTP POST. The PHP code mirrors a basic evaluation web shell, commonly known as the China Chopper web shell.
This “log poisoning” technique allowed attackers to hide in a backdoor amidst normal traffic. After validating the shell, they switched to a different IP address, likely dividing their operations, and went on to issue commands through Antsword’s virtual terminal.
Antsword is an open-source Chinese web shell management framework (essentially a graphical control panel) for hackers to manage compromised web servers. In this case, it acted as a command station to interact with the China Chopper mounted on the back door.
Nezha Ride for Ghost Rat
Along with the web shell, the attackers used AntSword to download two components: “live.exe” (the). nejha agent) and a “config.yml” that points to the attacker-controlled domain. Neza Agent connected back to a management server whose dashboard was running in Russian, presumably to remove attribution.
Once Neza was activated, the attackers ran an interactive PowerShell session to create Windows Defender exclusions on key system folders. This allowed them to drop and run a Ghost RAT version from “C:\Windows\Cursors”. The RAT executable also installed a persistence mechanism and used a domain generation algorithm (DGA) for command and control (C2).
Huntress’ analysis revealed that the Ghost RAT implant had a multi-stage loader, dynamic API resolution, and command blocks consistent with China-Nexus APT activities. The team was able to contain the August 2025 incident before the attackers could cause significant damage.
“Fortunately, Huntress was able to fix the incident by isolating the system and removing the web shell, Nezha agent, and malware before the attacker could accomplish any further objectives,” the researchers said. Huntress published a set of indicators of compromise (IOCs) associated with the intrusion, including the file names and paths for the web shell, Nezha agent, and Ghost RAT payloads. This incident fits a broader 2025 pattern of threat actors abusing legitimate admin and monitoring tools to remain on the network.
Earlier this year, Symantec (Broadcom) reported fog ransomware operators were using employee monitoring software Cyteca along with other open-source pen-testing tools like GC2 and Adaptix. Last month, researchers also flagged a suspected Chinese firm’s red-teaming tool, “Villager,” which they said was ripe for abuse by hackers.
