Recent revelations by cybersecurity personnel have exposed a hacking campaign that began in August 2025, indicating that a hacker group associated with China has repurposed the open-source server monitoring tool Nezha for malicious activities. They infiltrated and took control of at least one hundred computers servers distributed across Taiwan, Japan, South Korea, and Hong Kong.
Researchers have warned that the attackers are swift in their actions, with some companies having only a few hours to respond from infection to detection.
Security company Huntress stated that during an investigation into a website breach, they uncovered this wave of attacks. Hackers exploited a vulnerability in a publicly exposed website application as an entry point, gaining control through a Web Shell and deploying Nezha to execute remote server commands for sustained control.
Jai Minton, the Chief Security Operations Analyst at Huntress, compared Nezha to a “TV remote control,” explaining that it allows remote control of a computer anywhere in the world as long as it is connected to the internet. The Nezha control panel acts like a remote, while the Nezha agent installed on the computer serves as the TV.
The attack originated from the exposed and unauthenticated phpMyAdmin interface on the internet. phpMyAdmin is an open-source graphical tool used to manage MySQL and MariaDB databases. In the cases analyzed by Huntress, the victim servers had no authentication mechanism in place, allowing anyone direct access.
Once access was gained, the attackers executed a Log Poisoning attack. They configured the database to store query logs as executable files and sent queries containing Web Shell code. These logs, with a .php extension, allowed the attackers to execute the Web Shell through web requests swiftly, showcasing their skill in this technique.
After establishing the Web Shell, the attackers changed IP addresses and used the AntSword web shell management tool to control the servers.
Nezha was originally a lightweight, open-source server monitoring and task management tool used for system administration. However, this incident reveals hackers using Nezha for post-intrusion penetration and malicious software deployment for the first time.
Huntress discovered that alongside Nezha, the attackers utilized other malicious tools and web shell management software, such as Gh0st RAT and AntSword.
Researchers speculate that the hackers are from mainland China. They observed that the hackers changed the system language to Simplified Chinese in the post-intrusion management interface, and Gh0st RAT and AntSword have been previously used in state-level hacking operations within China. Minton noted similarities between the Gh0st RAT samples observed and previous attacks by China-affiliated hacking groups targeting Tibetan communities.
Huntress analysis revealed that the primary regions affected by the attack were Taiwan, Japan, South Korea, Hong Kong, Singapore, and Malaysia, with Taiwan experiencing the highest number of victims.
The report indicated that the attackers invaded at a rapid pace without clear financial motives, targeting organizations of significant size, including an international media group and a university in Taiwan. This suggests that the attack may have political motives rather than being merely cybercrime.
Huntress estimated that over one hundred organizations have been impacted by the attack, and the number is continually rising. While some attacks were swiftly detected and the Nezha agent removed, the hackers’ efficiency in penetration within a short timeframe is concerning.
The company warned that despite some operational errors by the attackers, they have demonstrated the ability to swiftly infiltrate, maintain long-term access, and utilize a tool that is legitimate but rarely reported on. There is a possibility of a connection to highly capable but low-profile state-level hacking groups within the Chinese Communist regime.
(Adapted from a report by “The Record”)