Chinese Hackers Exploit ‘Nezha’ Tool to Pry on Asian Companies -

Post Views: 195

“Chinese hackers are trying to spy on Asian companies while exploiting the Nezha Tool. Let’s talk about it in detail!”

According to cybersecurity company Huntress, an open-source server monitoring application was used in a politically motivated effort to breach over 100 systems in Taiwan, Japan, South Korea, and Hong Kong. This underscores the increasing usage of legitimate software in state-affiliated cyber espionage.

According to cybersecurity firm Huntress, a cyber campaign with ties to China used a genuine open-source monitoring application named Nezha to target more than 100 systems in East Asia. This finding highlights how common administration software may be used as a weapon for politically motivated espionage.

A vulnerable web application was the source of the intrusion

In early August, when investigating a susceptible public-facing online application, Huntress investigators discovered the campaign for the first time. Before using Nezha, a tool for job management and server monitoring, the attackers first obtained access via a web shell.

Huntress also points out that although Nezha has valid IT uses, this is a new kind of misuse, as the program is being used to carry out remote operations and spread malware after online attacks.

“Nezha Functions as a Remote Control”

According to the inquiry, Nezha was frequently used in conjunction with web-shell management tools and malware, Ghost RAT and AntSword, which have been connected to Advanced Persistent Threat (APT) organizations with a China-nexus.

Jai Minton, Principal Security Operations Analyst, Huntress

“Nezha functions similarly to a TV remote control. The agent installed on a computer is the TV, and the dashboard serves as the control. It enables complete online remote access.”

Evidence Points to Chinese Participation

One of the earliest indicators of the attackers’ origin, according to investigators, was that they switched the administrative interface language to Simplified Chinese after gaining access.

Despite Huntress’s failure to properly assign the campaign to a particular group, Minton pointed out similarities with earlier reports of Chinese APT operations:

“The Ghost RAT sample is similar to one that was utilized in assaults against the Tibetan community by an APT group with ties to China.”

Targets with Political Sensitivity

The majority of casualties were found in South Korea, Japan, and Taiwan—nations embroiled in maritime and territorial conflicts with China in the East China Sea.

Jai Minton, Principal Security Operations Analyst, Huntress

“A politically motivated campaign rather than financially motivated attacks is suggested by the quickness of compromise, lack of financial motivation, and absence of usual cybercriminal tradecraft.”

More than 100 Victims and Growing

More than 100 systems were impacted, according to the report, and some organizations were able to limit exposure to a few hours by acting swiftly.

However, Huntress cautioned that one should not undervalue the attackers’ skill and perseverance:

“A competent China-nexus threat actor is demonstrated by their ability to quickly breach systems and sustain long-term access utilizing an underreported technique.”

Conclusion

This campaign illustrates the growing trend of weaponizing legitimate open-source software for espionage purposes. Huntress urged organizations to strengthen monitoring of server management tools, web applications, and remote access systems, emphasizing that even widely used software like Nezha can be repurposed for sophisticated cyber operations.

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

Presenting ‘Nirorat’: Python-Based Trojan Avoids Detection Via Advanced Self-Modification