Hidden in Plain Sight: The Abuse of Nezha and the Ghost RAT That Followed

Summary

A stealthy cyberattack discovered in August 2025 exploited a phpMyAdmin misconfiguration to launch a widespread infection campaign leveraging the Nezha monitoring tool and Ghost RAT malware. Initially appearing as a minor server issue, the attack rapidly escalated into a global intrusion campaign affecting over 100 systems across Taiwan, Japan, South Korea, and Hong Kong.

The attacker demonstrated exceptional technical proficiency by combining log poisoning, legitimate tool abuse, and stealthy malware deployment. Through these tactics, they transformed trusted administrative utilities into covert remote access tools, enabling sustained espionage and system control.

This campaign emphasizes how seemingly harmless open-source tools and misconfigured infrastructure can be weaponized into highly effective attack chains, turning ordinary systems into footholds for long-term infiltration and lateral movement.

Attack Details

The attack began when a phpMyAdmin database management panel was left publicly accessible due to a DNS misconfiguration that disabled authentication. The intruder accessed the panel from an AWS IP address in Hong Kong, switched the interface to Simplified Chinese, and executed SQL commands to confirm database control.

Exploiting a directory traversal flaw and misconfigured logging, the attacker used a technique known as log poisoning—injecting malicious PHP code into the MariaDB logs, effectively planting a hidden web shell. After confirming access, they pivoted IP addresses, possibly to evade detection or delegate control to another operator.

Once inside, the attacker downloaded and installed Nezha, a legitimate server monitoring utility, using an executable named live.exe hosted on Cloudflare. Though typically benign, Nezha was reconfigured to communicate with a command server in Dublin (HostPapa), using a Russian-language dashboard that lacked authentication. This reappropriation of Nezha gave attackers real-time visibility and remote control of compromised hosts.

In the final stage, Ghost RAT was deployed—a multi-stage remote access trojan featuring a loader, dropper, and main payload. It masqueraded as a Windows service named “SQLlite”, hiding within system directories. The malware maintained persistence, exfiltrated data, and communicated with MoeDove LLC infrastructure, previously associated with malicious domains and Chinese-linked threat actors.

The campaign’s precision, operational security, and infrastructure overlap strongly indicate a well-funded and organized actor, likely with state sponsorship or advanced criminal backing.

Recommendations

• Secure All Admin Panels and Interfaces: Protect phpMyAdmin, cPanel, and similar tools using strong passwords, multi-factor authentication (MFA), and IP whitelisting. Never expose them directly to the internet.
• Regularly Patch Systems: Keep web servers, database platforms, and third-party applications updated to close known vulnerabilities.
• Separate Service Accounts: Run web and database services under distinct user accounts with least privilege permissions.
• Lock Down Monitoring Tools: Secure legitimate utilities like Nezha with proper authentication, encryption, and access controls.
• Enhance Endpoint Security: Deploy Next-Gen Antivirus (NGAV) and Endpoint Detection and Response (EDR) solutions to detect log manipulation, web shells, and abnormal processes. Leverage behavioral analytics and machine learning for early detection.

Indicators of Compromise (IoCs)

SHA256 Hashes

• f3570bb6e0f9c695d48f89f043380b43831dd0f6fe79b16eda2a3ffd9fd7ad16
• 9f33095a24471bed55ce11803e4ebbed5118bfb5d3861baf1c8214efcd9e7de6
• 7b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958
• 82611e60a2c5de23a1b976bb3b9a32c4427cb60a002e4c27cadfa84031d87999
• 35e0b22139fb27d2c9721aedf5770d893423bf029e1f56be92485ff8fce210f3

File Paths

• C:\xamp\htdocs\123.php
• C:\Windows\Cursors\x.exe
• C:\Windows\system32\SQLlite.exe
• C:\Windows\system32\32138546.dll
• C:\Windows\Cursors\live.exe

URLs

• hxxps[:]//rism[.]pages[.]dev/microsoft[.]exe

IPv4 Addresses

• 54[.]46[.]50[.]255
• 45[.]207[.]220[.]12
• 172[.]245[.]52[.]169

Domains

• c[.]mid[.]al
• gd[.]bj2[.]xyz

Mutex

• gd[.]bj2[.]xyz[:]53762[:]SQLlite

MITRE ATT&CK TTPs

• TA0001 Initial Access – T1190 (Exploit Public-Facing Application)
• TA0002 Execution – T1059 (Command and Scripting Interpreter)
• TA0003 Persistence – T1543 (Create or Modify System Process), T1547.001 (Registry Run Keys / Startup Folder)
• TA0004 Privilege Escalation – T1574.001 (Hijack Execution Flow: DLL)
• TA0005 Defense Evasion – T1036 (Masquerading), T1027 (Obfuscated Files or Information)
• TA0007 Discovery – T1046 (Network Service Discovery), T1082 (System Information Discovery), T1033 (System Owner/User Discovery)
• TA0011 Command and Control – T1071.001 (Web Protocols)
• TA0042 Resource Development – T1505.003 (Web Shell), T1105 (Ingress Tool Transfer), T1078 (Valid Accounts)

References

• Huntress – Nezha: China Nexus Threat Actor Tool
• MITRE ATT&CK Framework