Chinese Threat Actors Leverage Nezha to Execute Remote Web Server Commands

Threat actors have co-opted the open-source Nezha monitoring tool as a malicious command-and-control framework, leveraging its legitimate features to evade detection and maintain persistence on compromised web servers.

Open-Source Tool Turned Weapon

Nezha, originally designed for lightweight server monitoring and task management, has been repurposed by a Chinese threat actor to issue arbitrary commands and establish long-term footholds on web servers.

Following initial web shell deployments, attackers downloaded and installed Nezha agents disguised as innocuous administrative binaries across more than 100 victim machines.

Analysis of the Nezha dashboard reveals it was configured in Russian language settings, suggesting use of shared tooling or misdirection.

The highest concentrations of infected hosts were identified in Taiwan, Japan, South Korea, and Hong Kong.

Sophisticated Infrastructure and Operational Security

Investigation into the adversary’s infrastructure uncovered registrations of multiple autonomous systems and domain generation algorithms characteristic of advanced persistent threat campaigns.

Cloud-based resources spanned providers such as AWS (notably IPs in Hong Kong) and virtual private servers in Dublin, reflecting careful operational security to obscure true locations.

Domains like c.mid.al and gd.bj2.xyz served as Nezha command-and-control points, while renamed Windows binaries (e.g., SQLlite.exe) supported persistence via rogue services and mutexes.

The duality of legitimate-looking service names and file paths (such as C:WindowsCursorslive.exe) further reduced suspicion.

By weaponizing Nezha, attackers enjoy reduced research costs and a lower probability of detection compared to custom malware development.

The tool’s legitimate appearance fosters plausible deniability, allows use of built-in task-scheduling features, and grants extensive visibility on compromised hosts.

To mitigate such threats, organizations should enforce strict network segmentation, monitor for anomalous administrative tool usage, and apply robust endpoint detection rules targeting unexpected agent processes.

Continuous threat-hunting around uncommon service names (e.g., SQLite) and unusual binary locations can unearth malicious implants before damage occurs.

Risk Factor	Description
Legitimate Tool Appearance	Nezha’s open-source nature and common administrative use mask malicious activity.
Multilingual Dashboard Misconfiguration	Russian language settings could indicate shared tooling or global actor cooperation, complicating attribution.
Cloud-Backed Infrastructure	Use of AWS and diverse VPS providers enhances resilience and reduces traceability.
File Renaming and Service Masquerading	Binaries like SQLlite.exe and rogue mutexes support covert persistence and hinder signature-based detection.
Domain Generation Algorithms	Dynamic C2 domains (e.g., gd.bj2.xyz) enable flexible command channels and fast evasion of blacklists.
Web Shell Pre-Staging	Initial web shell drop at C:xampphtdocs123.php primes the environment for subsequent Nezha agent deployment.
Low Research and Development Overhead	Leveraging existing tools eliminates the need for custom malware engineering, accelerating campaign setup.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today

The post Chinese Threat Actors Leverage Nezha to Execute Remote Web Server Commands appeared first on Cyber Security News.