Taipei/Tokyo/Seoul/Hong Kong- Cybersecurity firm Huntress reports that more than 100 systems across Taiwan, Japan, South Korea, and Hong Kong were compromised in a politically motivated campaign using an open-source server monitoring tool, highlighting the growing use of legitimate software in state-linked cyber espionage.
A China-linked cyber campaign has targeted over 100 systems in East Asia using a legitimate open-source monitoring tool called Nezha, cybersecurity firm Huntress has revealed. The discovery underscores how everyday administrative software can be weaponized for politically motivated espionage.
Intrusion Traced to Vulnerable Web Application
Huntress investigators first detected the campaign in early August while examining a vulnerable public-facing web application. Attackers initially gained access through a web shell before deploying Nezha, a tool designed for server monitoring and task management.
While Nezha has legitimate IT applications, Huntress noted this is a novel instance of abuse, with the tool being used to execute remote commands and deploy malware following web intrusions.
“Nezha Works Like a Remote Control”
Explaining the tool’s functionality, Jai Minton, Principal Security Operations Analyst at Huntress, said:
“Nezha is like a remote control for a TV. The dashboard acts as the remote, and the agent installed on a computer is the TV. It allows full remote access over the internet.”
The investigation revealed that Nezha was often combined with Ghost RAT and AntSword, malware and web-shell management tools previously linked to China-nexus Advanced Persistent Threat (APT) groups.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
Evidence Suggests Chinese Involvement
Investigators noted that attackers changed the administrative interface language to Simplified Chinese after gaining access, providing one of the first clues to their origin.
Although Huntress did not formally attribute the campaign to a specific group, Minton highlighted overlaps with previously documented Chinese APT operations:
“The Ghost RAT sample resembles one used in attacks by a China-nexus APT group targeting the Tibetan community.”
Politically Sensitive Targets
Most victims were located in Taiwan, Japan, and South Korea, countries involved in territorial and maritime disputes with China in the East China Sea.
“The speed of compromise, absence of financial motivation, and lack of typical cybercriminal tradecraft suggest a politically driven campaign rather than financially motivated attacks,” Minton said.
Over 100 Victims and Counting
The report notes that more than 100 systems were affected, with some entities responding quickly enough to limit exposure to a few hours.
Huntress warned, however, that the attackers’ skill and persistence should not be underestimated:
“Their ability to compromise systems swiftly and maintain long-term access using an underreported tool indicates a capable China-nexus threat actor that has received limited public attention.”
Conclusion
This campaign illustrates the growing trend of weaponizing legitimate open-source software for espionage purposes. Huntress urged organizations to strengthen monitoring of server management tools, web applications, and remote access systems, emphasizing that even widely used software like Nezha can be repurposed for sophisticated cyber operations.
