Chinese hackers are on the rise, increasingly targeting organizations worldwide with sophisticated techniques and multi-stage attack chains. Recent campaigns, such as UNC5221 targeting U.S. legal and tech organizations with BRICKSTORM backdoor, and UNC6384, which targeted diplomats with PlugX malware, illustrate the growing skill and persistence of these actors.

In August 2025, security researchers observed a new campaign where China-linked actors exploited log poisoning (log injection) technique to install a China Chopper web shell on a web server. Leveraging ANTSWORD for access, hackers then deployed Nezha, a legitimate open-source monitoring tool, to execute commands before ultimately delivering Gh0st RAT—marking the first publicly reported use of Nezha in web server compromises.

Detect Nezha Attacks

CrowdStrike’s 2025 Global Threat Report highlights the accelerating pace of China-linked cyber operations, reporting a 150% surge in state-sponsored activity and up to a 300% increase in targeted attacks against financial services, media, manufacturing, and industrial sectors. The latest campaign abusing Nezha for malicious purposes reflects this trend, demonstrating how these threat actors continue to innovate and expand their capabilities.

Register for the SOC Prime Platform to tap into an extensive marketplace of 600,000+ detection rules and queries that can be used across industry-leading security analytics solutions, AI-native threat intelligence, and advanced detection engineering capabilities. SOC Prime Platform curates a relevant detection stack to help global organizations safeguard against China-nexus attacks misusing Nezha.

Click the Explore Detections button to reach a set of behavioral rules mapped to the MITRE ATT&CK® framework, along with IOCs and AI-generated rules, compatible with multiple SIEM, EDR, and Data Lake platforms in use.

Explore Detections

To streamline threat investigation, security experts might use Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms. 

SOC Prime Team has named Nezha attacks the Threat of the Month for October 2025. Security professionals can visit the Active Threats page on the SOC Prime Platform to access everything included — behavior-based rules, IOCs, AI detections, Attack Flow, AI summary, and advanced simulations — all completely free as part of the Threat of the Month.

Analyzing China-Nexus Attacks Using Nezha to Deploy Gh0st RAT

The latest Huntress report details a widespread malicious campaign by China-nexus threat actors, who have exploited the legitimate open-source monitoring tool Nezha for delivering Gh0st RAT malware. Evidence shows that Nezha was used during compromises of over 100 victim machines mainly across Taiwan, Japan, South Korea, and Hong Kong. The smaller concentrations of attacks were also observed in Singapore, Malaysia, India, the U.K., the U.S., Colombia, Laos, Thailand, Australia, Indonesia, France, Canada, Argentina, Sri Lanka, the Philippines, Ireland, Kenya, and Macao.

Nezha is publicly available and marketed as a lightweight server monitoring and task management tool, but in this campaign, it was repurposed to facilitate malicious activity following web intrusions.

The attack chain began with the exploitation of a publicly exposed and vulnerable phpMyAdmin panel. The attackers set the interface language to Simplified Chinese, and while this was the only observed entry point, metadata from the Nezha installations explored by researchers indicates that additional methods were likely used to gain initial access to systems not running phpMyAdmin.

After gaining access, the Chinese actors leveraged the server SQL query interface to run multiple SQL commands rapidly, ultimately dropping a PHP web shell into an internet-accessible directory. By enabling general query logging and naming the log file with a .php extension, the web shell could be executed directly via POST requests.

Access via the ANTSWORD web shell allowed the China-nexus actors to perform reconnaissance on the compromised servers, including running the whoami command to determine the privileges of the web server. This information was used to guide the deployment of the open-source Nezha agent. Once installed, the Nezha agent provided full remote control over the infected host by connecting to an external command-and-control server (“c.mid[.]al”), enabling attackers to execute commands and orchestrate subsequent stages of the campaign.

The Nezha agent was leveraged to run interactive PowerShell scripts, which modified system settings to create exclusions in Microsoft Defender Antivirus, ensuring persistence and reducing the likelihood of detection. These scripts then deployed Gh0st RAT via a loader and dropper, which handled the configuration, installation, and execution of the main malware payload. This multi-stage process illustrates the attackers’ ability to combine legitimate tools with custom scripts to evade defenses, maintain persistence, and achieve operational objectives. The campaign highlights the increasing trend of China-nexus actors abusing publicly available tools, such as Nezha, to expand their attack capabilities and target a wide range of global organizations.

With Chinese hacking groups largely adopting new offensive tactics and increasing the sophistication of their attacks, organizations are urged to strengthen proactive defenses to identify threats at the earliest attack stages and protect their overall cybersecurity posture. By leveraging SOC Prime’s complete product suite backed by top cybersecurity expertise, AI, automated capabilities, and real-time threat intelligence, organizations can proactively defend against APT attacks and other critical threats they anticipate most.