Nezha
Nezha is an open-source server monitoring, uptime monitoring, and remote management/monitoring tool that threat actors have repeatedly repurposed as post-exploitation remote access tooling. Reporting in the provided content describes Nezha being abused as a RAT/RMM-style foothold that allows operators to view system health, execute commands, transfer files, open interactive terminal sessions, retrieve detailed information from compromised systems, and manage large numbers of hosts from a central dashboard. It has been observed across Windows, Linux, macOS, and routers, and its traffic can resemble normal monitoring telemetry, which may aid stealth.
The content links Nezha primarily to suspected China-linked intrusion activity. Huntress reported a campaign first detected in August 2025 in which attackers compromised more than 100 machines, with victims primarily in Taiwan, Japan, South Korea, and Hong Kong. In that activity, initial access came through an exposed phpMyAdmin interface; the attackers abused MariaDB general query logging for log poisoning to write a PHP web shell, managed the host with AntSword, then downloaded the Nezha agent (including a config.yml pointing to attacker-controlled infrastructure). After Nezha was established, the operators used PowerShell to create Microsoft Defender exclusions and deployed a Gh0st RAT variant from C:\Windows\Cursors for deeper persistence. Multiple summaries characterize this as China-affiliated or suspected China-based activity, though no specific actor is conclusively named.
Nezha also appears in other intrusion contexts in the provided material. Blackpoint identified actor-linked Nezha monitoring infrastructure during an MSP compromise and reported a YAML configuration file associated with a Nezha monitoring agent, with Nezha deployed early as part of remote access tooling. Unit 42 observed attackers attempting to download the Nezha monitoring agent during exploitation of Ivanti EPMM zero-days CVE-2026-1281 and CVE-2026-1340, including attempts fetching from Gitee with parameters intended to target victims in China. Trend Research also listed Nezha among payloads deployed in active exploitation of React2Shell (CVE-2025-55182), alongside Cobalt Strike, FRP, Sliver, and Secret-Hunter.
The content emphasizes that Nezha is legitimate software rather than bespoke malware, but in these cases it was weaponized to gain unauthorized remote access, maintain footholds, support lateral movement or follow-on payload delivery, and blend into normal administrative activity. Reported indicators and artifacts directly mentioned in the content include filenames such as live.exe, config.yml, and YAML configuration files for Nezha agents; actor-linked infrastructure including Alibaba Cloud-hosted dashboards in Japan in one report; and a published sample hash from Blackpoint for a Nezha binary: d3abd4bae082d4c9918447fe82c521567cc7f9b0e5f2d55999a6e5c40fa7fd54.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Trend™ Research observed that CVE-2025-55182, as of this writing, is being exploited in-the-wild, and in several malware campaigns such as the emerald and nuts campaigns. ... CVE-2025-55182, which is a critical (CVSS 10.0) pre-authentication remote code execution vulnerability affecting React Server Components (RSC) used in React.js, Next.js, and related frameworks. | Several of these are attacks that execute Cobalt Strike beacons generated with Cross C2, deploy Nezha, Fast Reverse Proxy (FRP), the Sliver payload, and the Secret-Hunter payload.
We observed attackers downloading a Nezha monitoring agent, an open-source server monitoring utility.
We observed attackers downloading a Nezha monitoring agent, an open-source server monitoring utility.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Intrusions weaponizing the open-source monitoring tool Nezha have been conducted by suspected Chinese threat actors to facilitate Gh0st RAT injections.
Researchers found evidence that suspected China-based actors used a monitoring tool called Nezha during compromises of more than 100 victim machines in Taiwan, Japan, South Korea and Hong Kong. Incident responders at cybersecurity firm Huntress said they initially came across the campaign while investigating a vulnerable, public-facing web application that was the source of an intrusion at the beginning of August. The threat actor took over a web shell before deploying Nezha — an operation and monitoring tool that allows commands to be run on a web server.
“China-linked hackers weaponized Nezha… turned the open-source monitoring tool Nezha into a weapon to distribute the malware Gh0st RAT.”
"...attackers used log poisoning and a web shell to install Nezha, a legitimate remote monitoring/management tool (RMM), as a foothold to deploy Ghost RAT for deeper persistence."
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique“Ivanti Endpoint Manager Mobile (EPMM) … vulnerabilities … allow unauthenticated attackers to remotely execute arbitrary code on target servers”
Execution
2 techniquesThe Nezha agent enables the next stage of the attack chain, facilitating the execution of an interactive PowerShell script to create Microsoft Defender Antivirus exclusions and launch Gh0st RAT
Trend™ Research observed that CVE-2025-55182, as of this writing, is being exploited in-the-wild... a critical (CVSS 10.0) pre-authentication remote code execution vulnerability affecting React Server Components (RSC)... An attacker can send malicious data that executes arbitrary code on your servers before any authentication occurs.
Command and Control
3 techniquesSeveral of these are attacks that execute Cobalt Strike beacons generated with Cross C2, deploy Nezha, Fast Reverse Proxy (FRP), the Sliver payload, and the Secret-Hunter payload.
The access afforded by the ANTSWORD web shell is then used to run the "whoami" command to determine the privileges of the web server and deliver the open-source Nezha agent
The access afforded by the ANTSWORD web shell is then used to run the "whoami" command to determine the privileges of the web server and deliver the open-source Nezha agent, which can be used to remotely commandeer an infected host by connecting to an external server
Other
1 techniqueIOCs tracked for this family
33 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An open-source monitoring agent/platform observed as part of actor-controlled infrastructure and used during the intrusion to support remote access and monitoring of compromised systems.
Malware/backdoor referenced as a payload dropped after exploitation of Ivanti EPMM vulnerabilities, alongside miners and other backdoors.
An open-source server monitoring/management agent that attackers attempted to deploy on compromised Ivanti EPMM servers, likely to provide ongoing remote management/visibility or as a foothold utility.
Named malware/tool referenced in the malware list; no additional details provided in the content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.