2025-10-15 The Crown Prince, Nezha A New Tool Favored by China-Nexus Threat Actors

📃Title: The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors
📅Date: 2025-10-15
🔗References:

• https://www.huntress.com/blog/nezha-china-nexus-threat-actor-tool

Description

A sophisticated cyber intrusion campaign utilizing log poisoning and a new tool called Nezha has been uncovered. The attackers exploited a vulnerable phpMyAdmin interface to deploy a web shell, followed by the installation of Nezha, an open-source server monitoring tool repurposed for malicious activities. The campaign targeted over 100 victims, primarily in Taiwan, Japan, South Korea, and Hong Kong. The threat actors also deployed Ghost RAT, a remote access trojan, for further system compromise. The attack methodology and victimology suggest a China-nexus threat actor, highlighting the need for improved security measures and vigilance against emerging threats.

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: intrusion-analysis
• target: broad-based
• MY-relevancy: relevant

🔖MISP Galaxies:

• producer Huntress
• target-information=“Taiwan”
• target-information=“Japan”
• target-information=“Hong Kong”
• malpedia=“ANGRYREBEL”
• malpedia=“Ghost RAT”
• target-information=“Malaysia”
• mitre-attack-pattern=[‘T1033’, ‘T1543.003’, ‘T1082’, ‘T1140’, ‘T1190’, ‘T1112’, ‘T1505.003’, ‘T1016’, ‘T1083’, ‘T1036.004’, ‘T1497’, ‘T1057’, ‘T1059.001’, ‘T1547.001’, ‘T1027’, ‘T1012’, ‘T1059.003’, ‘T1071.001’, ‘T1105’, ‘T1569.002’]

MISP event uuid: 625b5d1f-8629-4a9a-9f73-f4e85089b432

Indicator of Compromise (IoCs)

type,value,comment
ip-dst, 45.207.220.12, 'Web shell and Backdoor C2/Operator IP'
hostname, gd.bj2.xyz, 'Backdoor C2/Operator Domain'
ip-dst, 172.245.52.169, 'Nezha C2 IP'
sha256, 35e0b22139fb27d2c9721aedf5770d893423bf029e1f56be92485ff8fce210f3, 'Malicious DLL No sample in VT\r\nLast check:19/10/2025'
sha256, f3570bb6e0f9c695d48f89f043380b43831dd0f6fe79b16eda2a3ffd9fd7ad16, 'Web shell No sample in VT\r\nLast check:19/10/2025'
ip-dst, 38.246.250.201, ''
hostname, c.mid.al, 'Nezha C2'
hostname, host.404111.xyz, ''
url, https://rism.pages.dev/microsoft.exe, 'Nezha Agent'
ip-dst, 54.46.50.255, 'Initial Access IP'

Full IOCs available in Rectifyq's MISP```