Nezha Cyber Campaign Compromises Over 100 Web Servers in East Asia
A cyber campaign using the open-source tool Nezha has been uncovered, marking the first public reporting of its use in web server compromises. The campaign, active since August 2025, targeted vulnerable web applications, with most victims located in East Asia.
The attackers gained access through exposed phpMyAdmin panels and controlled compromised servers using AntSword. They then downloaded the Nezha agent, which connected to a command server at c.mid[.]al. Over 100 systems were affected, with the majority in Taiwan, Japan, South Korea, and Hong Kong.
The intruders switched the interface language to Simplified Chinese and executed SQL commands to create a hidden backdoor. They also used Nezha to execute PowerShell commands, disabling Windows Defender scans before deploying a Ghost RAT variant. The malware established persistence under the name 'SQLlite' and communicated with C2 domains registered through China-linked entities. Huntress researchers recommend strengthening security measures to prevent such attacks in the future.
The cyber campaign using Nezha highlights the evolving tactics of threat actors, blending legitimate software with malicious intent. With over 100 systems compromised, defenders must remain vigilant and proactive in protecting vulnerable web applications. Further investigation is needed to determine the origin and main targets of the attackers.
