This sophisticated cyber campaign, active since August 2025, targets vulnerable web applications by exploiting exposed phpMyAdmin panels, a widely used web-based database management tool. Attackers employ a creative log poisoning technique to inject a PHP web shell, allowing initial foothold on the server. Following this, they use AntSword, a known web shell management tool, to gain interactive control over the compromised servers. Subsequently, the attackers install the Nezha agent—an open-source remote administration tool (RAT) not previously reported in web server compromises—and Ghost RAT malware. Nezha is used to disable Windows Defender, effectively neutralizing endpoint defenses, while Ghost RAT facilitates remote access and data exfiltration. Persistence is established under the alias 'SQLlite', likely to evade detection. The campaign infrastructure is linked to China-based servers and has impacted over 100 systems primarily in Taiwan, Japan, South Korea, and Hong Kong. The attack chain involves exploitation of phpMyAdmin (CWE-287: Improper Authentication), log poisoning (a form of injection), and post-exploitation techniques aligned with MITRE ATT&CK tactics such as persistence (T1543.003), command and control (T1071), exploitation of public-facing applications (T1190), and defense evasion (T1562.001). No CVE or known exploits in the wild are reported yet, but the campaign demonstrates advanced multi-stage intrusion capabilities targeting web-facing infrastructure.

For European organizations, the impact of this campaign could be significant if similar vulnerable phpMyAdmin instances or web applications are exposed without proper security controls. The compromise of web servers can lead to unauthorized access to sensitive data, disruption of services, and potential lateral movement within networks. Disabling endpoint protection like Windows Defender increases the risk of prolonged undetected presence, enabling data theft, ransomware deployment, or further malware infections. Given the campaign’s focus on web applications and database management tools, organizations with public-facing web infrastructure and database administration portals are at heightened risk. The medium severity reflects the balance between the need for initial access via exposed management interfaces and the high potential damage post-compromise. European entities involved in sectors with strategic importance or with business ties to East Asia may face increased targeting due to geopolitical factors and supply chain considerations.

1. Immediately audit and restrict access to phpMyAdmin and other database management interfaces; ensure they are not publicly exposed or are protected by strong authentication mechanisms such as multi-factor authentication (MFA). 2. Apply the latest patches and updates to phpMyAdmin, web servers, and associated software to remediate known vulnerabilities. 3. Implement web application firewalls (WAFs) to detect and block log poisoning and injection attempts. 4. Monitor logs for unusual entries indicative of log poisoning or web shell deployment, including unexpected PHP code in logs. 5. Deploy endpoint detection and response (EDR) solutions capable of detecting Nezha and Ghost RAT behaviors, including attempts to disable security software. 6. Conduct regular threat hunting focused on persistence mechanisms named similarly to 'SQLlite' and anomalous AntSword activity. 7. Segment networks to limit lateral movement from compromised web servers to critical internal systems. 8. Educate administrators on secure configuration and the risks of exposing management interfaces. 9. Establish incident response plans that include rapid containment and forensic analysis for web server compromises. 10. Use threat intelligence feeds to update detection rules with indicators such as the domain 'c.mid.al' linked to this campaign.