Nezha
Nezha is an open-source server monitoring, uptime monitoring, and task management tool that threat actors have repurposed as a remote access and post-exploitation implant. Reported capabilities include viewing system health, retrieving detailed information about compromised systems, executing commands, transferring files, opening interactive terminal sessions, and managing large numbers of hosts from a central dashboard. It supports multiple platforms, including Windows, Linux, macOS, and routers/openWRT devices, and its traffic can resemble normal monitoring telemetry, which may aid stealth.
The content links Nezha to multiple intrusion sets and campaigns, most notably suspected China-nexus activity. Huntress reported attackers compromising an exposed phpMyAdmin instance, abusing MariaDB general logging for log poisoning to write a PHP web shell, operating the shell with AntSword, and then deploying the Nezha agent as a foothold before disabling Microsoft Defender protections and installing a Gh0st RAT variant. Huntress assessed that more than 100 victim machines were affected, with many victims in Taiwan, Japan, South Korea, and Hong Kong. Related reporting also describes Nezha being used during compromises of vulnerable public-facing web applications and in campaigns against organizations in Southeast Asia.
Nezha also appears in post-exploitation activity following exploitation of Ivanti Endpoint Manager Mobile vulnerabilities, where attackers attempted to download the Nezha monitoring agent, sometimes with fallback to Gitee for victims in China, and in exploitation of React2Shell/CVE-2025-55182, where observed payloads included Nezha alongside Cobalt Strike beacons generated with Cross C2, FRP, Sliver, Secret-Hunter, Node.js secret-harvesting payloads, and Go-based backdoors. Blackpoint additionally reported actor-linked Nezha infrastructure in an MSP intrusion and identified a Nezha sample with SHA256 d3abd4bae082d4c9918447fe82c521567cc7f9b0e5f2d55999a6e5c40fa7fd54.
High-confidence indicators and artifacts mentioned in the content include Nezha agent/live.exe, config.yml files pointing to attacker-controlled servers, the domain c.mid[.]al resolving to 172.245.52[.]169, and Nezha-related infrastructure associated with dashboards exposing victim telemetry. The content consistently characterizes Nezha as a legitimate tool being weaponized for unauthorized remote access, persistence, monitoring, and staging of additional malware.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2026-1281 + CVE-2026-1340: pre-auth RCE через bash arithmetic expansion... Обе - code injection, позволяющий неаутентифицированному атакующему выполнить произвольный код. | В отдельных кейсах наблюдалась загрузка Nezha monitoring agent - open-source утилиты мониторинга серверов, которую приспособили как botnet-агент, с fallback на Gitee для жертв из Китая.
CVE-2026-1281 + CVE-2026-1340: pre-auth RCE через bash arithmetic expansion... Обе - code injection, позволяющий неаутентифицированному атакующему выполнить произвольный код... Unit 42 фиксирует: до момента публикации 29 января 2026 уже шла активная эксплуатация. | В отдельных кейсах наблюдалась загрузка Nezha monitoring agent - open-source утилиты мониторинга серверов, которую приспособили как botnet-агент, с fallback на Gitee для жертв из Китая.
Trend™ Research observed that CVE-2025-55182, as of this writing, is being exploited in-the-wild, and in several malware campaigns such as the emerald and nuts campaigns. ... CVE-2025-55182, which is a critical (CVSS 10.0) pre-authentication remote code execution vulnerability affecting React Server Components (RSC) used in React.js, Next.js, and related frameworks. | Several of these are attacks that execute Cobalt Strike beacons generated with Cross C2, deploy Nezha, Fast Reverse Proxy (FRP), the Sliver payload, and the Secret-Hunter payload.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Intrusions weaponizing the open-source monitoring tool Nezha have been conducted by suspected Chinese threat actors to facilitate Gh0st RAT injections.
Researchers found evidence that suspected China-based actors used a monitoring tool called Nezha during compromises of more than 100 victim machines in Taiwan, Japan, South Korea and Hong Kong. Incident responders at cybersecurity firm Huntress said they initially came across the campaign while investigating a vulnerable, public-facing web application that was the source of an intrusion at the beginning of August. The threat actor took over a web shell before deploying Nezha — an operation and monitoring tool that allows commands to be run on a web server.
“China-linked hackers weaponized Nezha… turned the open-source monitoring tool Nezha into a weapon to distribute the malware Gh0st RAT.”
"...attackers used log poisoning and a web shell to install Nezha, a legitimate remote monitoring/management tool (RMM), as a foothold to deploy Ghost RAT for deeper persistence."
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
After installing the Nezha agent, it was used to run an interactive PowerShell so that Windows Defender exclusions could be created before deploying and running another executable called x.exe.
Trend™ Research observed that CVE-2025-55182, as of this writing, is being exploited in-the-wild... a critical (CVSS 10.0) pre-authentication remote code execution vulnerability affecting React Server Components (RSC)... An attacker can send malicious data that executes arbitrary code on your servers before any authentication occurs.
Command and Control
4 techniques
Command and Control
Each of these POST requests represents the attacker’s C2 server sending instructions to the compromised web server via the deployed web shell.
Several of these are attacks that execute Cobalt Strike beacons generated with Cross C2, deploy Nezha, Fast Reverse Proxy (FRP), the Sliver payload, and the Secret-Hunter payload.
The threat actor proceeded to download a secondary payload, an executable named live.exe, and an accompanying config.yml from a website built on Cloudflare pages: rism.pages[.]dev.
live.exe was identified as an installer for a Nezha agent. Nezha is marketed as a lightweight, open-source server monitoring and task management tool... this case represents a novel finding that it is also being used to facilitate follow-on activity from web intrusions.
IOCs tracked for this family
39 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Open-source server monitoring agent repurposed by attackers as a botnet agent on compromised Ivanti EPMM servers.
An open-source monitoring agent/platform observed as part of actor-controlled infrastructure and used during the intrusion to support remote access and monitoring of compromised systems.
Malware/backdoor referenced as a payload dropped after exploitation of Ivanti EPMM vulnerabilities, alongside miners and other backdoors.
An open-source server monitoring/management agent that attackers attempted to deploy on compromised Ivanti EPMM servers, likely to provide ongoing remote management/visibility or as a foothold utility.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.