Riding Nezha to Ghost RAT: With the web shell in place, the attackers used AntSword to download two components: “live.exe” (the Nezha agent) and a “config.yml” that pointed to the attacker-controlled domain. The Nezha agent connected back to a management server whose dashboard was running in Russian, presumably to throw off attribution.Once Nezha was active, the attackers ran an interactive PowerShell session to create Windows Defender exclusions on key system folders. This allowed them to drop and run a Ghost RAT variant from “C:\Windows\Cursors”. The RAT executable also installed a persistence mechanism and used a domain generation algorithm (DGA) for command & control (C2).Huntress’ analysis showed the Ghost RAT implant had a multi-stage loader, dynamic API resolution, and command blocks consistent with China-nexus APT activities. The team was able to contain the August 2025 incident before attackers could cause significant damage.”Fortunately, Huntress was able to isolate the system and remediate the incident by removing the web shell, Nezha agent, and malware before the attacker could carry out any further objectives,” the researchers added. Huntress published a set of indicators of compromise (IOCs) tied to the intrusion, including the file name and path for the web shell, Nezha agent, and the Ghost RAT Payload. This incident fits a broader 2025 pattern of threat actors abusing legitimate admin and monitoring tools for persistence on networks. Earlier this year, Symantec (Broadcom) reported Fog ransomware operators using employee monitoring software Syteca alongside other open-source pen-testing tools like GC2 and Adaptix. Last month, researchers also flagged a red-teaming tool, “Villager,” from a shadowy Chinese firm that they said was ripe for hackers to abuse.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4069515/open-source-monitor-turns-into-an-off-the-shelf-attack-beacon.html
