In August 2025, cybersecurity researchers observed a new attack wave attributed to Chinese-linked threat actors who weaponized the open-source monitoring tool Nezha to deliver the well-known Gh0st RAT malware. The attack begins with the exploitation of publicly exposed and vulnerable phpMyAdmin panels to gain initial access. The adversaries set the interface language to simplified Chinese and execute rapid SQL queries to enable general query logging and inject a PHP web shell via log poisoning (log injection). Specifically, they craft SQL queries containing a one-liner PHP web shell payload that is recorded in the log file, which they rename with a .php extension, allowing direct execution through HTTP POST requests. Using the ANTSWORD web shell interface, the attackers confirm server privileges and deploy the Nezha agent, an open-source remote monitoring and command execution tool. The Nezha agent connects to an external command-and-control server, enabling interactive PowerShell script execution. These scripts create exclusions in Microsoft Defender Antivirus to evade detection and launch Gh0st RAT through a loader and dropper mechanism. Gh0st RAT is a remote access trojan widely used by Chinese hacking groups for espionage and persistent access. The attackers operate a Nezha dashboard in Russian, listing over 100 victims worldwide, with the majority in Taiwan, Japan, South Korea, and Hong Kong, and smaller numbers in Singapore, Malaysia, India, the U.K., France, and other countries. The attack chain demonstrates a sophisticated blend of leveraging legitimate open-source tools, novel log injection techniques, and multi-stage payload delivery to maintain stealth and persistence. This campaign underscores the growing trend of threat actors abusing publicly available tools for plausible deniability and to bypass traditional security defenses.

European organizations face significant risks from this threat, especially those running vulnerable phpMyAdmin instances or web servers that log SQL queries to disk. Successful exploitation can lead to full remote code execution, allowing attackers to deploy backdoors and advanced malware like Gh0st RAT, which can exfiltrate sensitive data, conduct espionage, and maintain persistent access. The use of log poisoning to plant web shells complicates detection, as malicious code resides in legitimate log files. The attackers’ ability to disable antivirus protections and execute PowerShell scripts increases the likelihood of evading endpoint defenses. For European entities, this could result in data breaches, intellectual property theft, operational disruption, and reputational damage. Critical infrastructure, government agencies, and enterprises with high-value data are particularly at risk. The presence of victims in the U.K. and France indicates that European networks are already targeted, and the attack’s stealthy nature may delay detection and response, amplifying potential damage.

1. Immediately audit and secure all phpMyAdmin installations: restrict access via IP whitelisting, enforce strong authentication, and update to the latest patched versions. 2. Disable or tightly control general query logging in database servers to prevent log injection opportunities. 3. Monitor web server directories for anomalous files with executable extensions, especially unexpected .php files in log directories. 4. Deploy web application firewalls (WAFs) with rules to detect and block log poisoning and web shell activity. 5. Implement endpoint detection and response (EDR) solutions capable of identifying Nezha agent behavior and Gh0st RAT indicators, including unusual PowerShell execution and Defender exclusions. 6. Conduct regular threat hunting focused on detecting ANTSWORD web shell signatures and unusual network connections to known Nezha C2 servers. 7. Educate IT and security teams about this attack vector to improve incident response readiness. 8. Segment networks to limit lateral movement if a web server is compromised. 9. Employ multi-factor authentication and continuous monitoring on administrative interfaces. 10. Collaborate with threat intelligence providers to stay updated on emerging indicators related to Nezha and Gh0st RAT campaigns.