3 malware familiesExploits CVEs in the wild

suspected_chinese_threat_actors

Also known assuspected_chinese_threat_actors

Suspected Chinese threat actors linked to an intrusion campaign that weaponized the open-source monitoring tool Nezha to facilitate Gh0st RAT deployment. According to the provided reporting, the campaign compromised more than 100 machines, with most victims located in Taiwan, Japan, South Korea, and Hong Kong. Initial access was obtained through an internet-exposed phpMyAdmin panel, after which the attackers used the SQL query interface to execute commands and deploy the ANTSWORD web shell. From ANTSWORD, they delivered Nezha, used it to ensure Microsoft Defender exclusions were in place, and then launched Gh0st RAT. The activity is described only as involving suspected Chinese threat actors; no specific named cluster, aliases beyond the provided label, or sub-groups are identified in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

AntSwordInitial access facilitated by an internet-exposed phpMyAdmin panel enabled attackers to access the server SQL query interface and execute multiple SQL commands, resulting in the deployment of the ANTSWORD web shell.1Mar 18, 2026

gh0st RATNezha, which ensured Microsoft Defender exclusions before launching Gh0st RAT.1Mar 18, 2026

NezhaIntrusions weaponizing the open-source monitoring tool Nezha have been conducted by suspected Chinese threat actors to facilitate Gh0st RAT injections.1Mar 18, 2026

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2022-42475FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow RCEIn the wildEvidence1

For further information, see Mandiant blog post: Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475).

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

scworldNews

Oct 9, 2025

Open-source Nezha tool harnessed in China-nexus hacking campaign

Conducting intrusions by abusing open-source tools (Nezha) to deploy Gh0st RAT, primarily targeting systems in East Asia. The campaign leverages internet-exposed phpMyAdmin panels for initial access, followed by web shell deployment and malware delivery.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.