Huntress Uncovers Log Poisoning Campaign Linking Nezha and Ghost RAT in Widespread Asian Cyber Intrusions

Huntress researchers have unveiled a new and highly creative intrusion technique that combines log poisoning, AntSword web shell control, and the Nezha monitoring tool to deliver Ghost RAT malware across more than 100 victim systems — marking the first public reporting of Nezha being used to facilitate web compromises..

According to the report, “Beginning in August 2025, Huntress discovered an intrusion where a threat actor used a creative technique called log poisoning (also referred to as log injection) to plant a basic evaluation web shell (also commonly referred to as the China Chopper web shell) on a web server.” The campaign’s victims are primarily located in Taiwan, Japan, South Korea, and Hong Kong, with some spread across Southeast Asia and Europe.

The attack began with the compromise of a vulnerable phpMyAdmin interface exposed to the internet without authentication. Huntress notes that “retrospective analysis of the web server configuration revealed flaws in the default phpMyAdmin configuration file, which doesn’t require any authentication and wasn’t intended to be exposed to the internet, but was due to a DNS record change just months before the incident.”

The attacker, operating from an AWS-hosted IP in Hong Kong, changed the phpMyAdmin interface language to Simplified Chinese, suggesting ties to Chinese-speaking operators. They then accessed the SQL query interface and executed multiple commands within seconds — a hallmark of seasoned intruders familiar with MariaDB internals.

Using log poisoning, the attacker manipulated MariaDB’s general logging mechanism to write PHP code directly into a web-accessible log file:

SET GLOBAL general_log_file = '../../htdocs/123.php';
SET GLOBAL general_log = 'ON';

This tactic transformed a server log into a fully functional web shell, hidden among normal entries. Huntress described it as “a very creative method that requires a number of steps,” where the malicious payload is “placed in a directory accessible over the internet, making the web shell hidden in plain sight among normal log entries.”

The resulting PHP backdoor — a simple yet powerful one-liner — allowed remote command execution through tools like AntSword and China Chopper.

Once control was established, the attackers installed Nezha, an open-source remote monitoring and management (RMM) platform. Huntress called this “a novel finding that it is also being used to facilitate follow-on activity from web intrusions.”

The attackers downloaded a Nezha agent (live.exe) and configuration file (config.yml) from rism.pages[.]dev, connecting to a command server at c.mid[.]al hosted in Dublin. The Nezha dashboard — visible over port 80 without authentication — revealed a map of infected systems, all reporting back real-time metrics such as uptime and resource usage.

Interestingly, Huntress observed the threat actor running the Nezha interface in Russian, a potential false flag to obscure attribution. Over 100 victim systems were visible in the interface, including desktop devices — suggesting broad compromise beyond traditional servers.

The majority of infected systems were concentrated in Taiwan (22), Japan (16), South Korea (10), and Hong Kong (8), with outliers detected as far as Brazil, Finland, and Kenya.

The campaign’s final stage involved deploying Ghost RAT (Gh0st RAT), a remote access Trojan historically linked to Chinese APT operations. Huntress traced its installation to an executable (x.exe) delivered via Nezha. The malware immediately created Windows Defender exclusions and established persistence through a fake service named “SQLlite.”

As described in the report, “Analysis of x.exe revealed it was likely a variant of Ghost RAT (also known as Gh0st RAT). The malware contained communication protocols that match public reporting by Zscaler from a campaign in June 2025, which they linked to a China-nexus APT group.”

The Ghost RAT sample communicated with the domain gd.bj2[.]xyz, which resolved to the same IP (45.207.220[.]12) previously used to operate the web shell. DNS history linked the domain to registrants in Beijing and Guangdong, both later redacted for privacy. Huntress also noted suspicious overlaps with RunningRAT samples analyzed by Hunt.IO, suggesting code reuse across multiple malware families.

Further analysis revealed the Ghost RAT binary followed a three-stage architecture — a loader, dropper, and main payload — using exception-based execution and obfuscated embedded DLLs to avoid detection. Once active, the RAT could execute remote commands, load additional DLLs, capture screens, and persist via a fake Windows service.

The attackers’ infrastructure appears linked to MoeDove LLC, an entity registered in 2024 with IP space from Cloud Innovation Ltd and Hurricane Electric. Huntress described the company as having a “somewhat suspicious online presence” with defunct links and a Chinese ICP license number, implying Mainland China operations.

The IP ranges also hosted domains generated by a domain generation algorithm (DGA) — a technique frequently used to rotate malicious infrastructure dynamically. The reuse of DGAs, Simplified Chinese language settings, and geographic targeting patterns collectively point toward a China-nexus threat actor.

Related Posts:

• phpMyAdmin Patches XSS Vulnerabilities in Latest Release
• phpMyAdmin 4.7.7 released to fix XSRF/CSRF vulnerability in phpMyAdmin
• Ghost Plugin Plagues Over a Million Terminals, Hijacking Search Results and User Data
• A Security Engineer’s Mistake Led to a Ransomware Breach
• phpMyAdmin Releases Software Update to Fix XSS Vulnerability