Skip to content

Huntress Discovers Sophisticated China-Linked Cyber Campaign Using 'Nezha' Tool

A newly discovered cyber campaign uses a previously underreported tool, Nezha, to remotely control computers and deploy malware. Targets include Taiwan, Japan, South Korea, and Hong Kong, raising political concerns.

In the image there is a spider crawling on the web.
In the image there is a spider crawling on the web.

Huntress Discovers Sophisticated China-Linked Cyber Campaign Using 'Nezha' Tool

Cybersecurity firm Huntress has uncovered a sophisticated cyber campaign involving a previously underreported tool called 'Network Zodiac' or 'Nezha'. This tool, developed by Geedge Networks, a key developer of China's 'Great Firewall', was found to be linked to the Institute of Information Engineering, Chinese Academy of Sciences.

The threat actor initially breached a web application and then deployed Nezha to take control of the web server. This allowed them to carry out further malicious activities, including the deployment of malware. Over 100 potential victims were identified across Taiwan, Japan, South Korea, and Hong Kong, with some entities responding swiftly to the attacks, indicating the threat actor's speed and efficiency.

Nezha, a lightweight, open-source server monitoring and task management tool, was found to facilitate follow-on activity from web intrusions. Huntress compared it to a remote control for computers, enabling hackers to control a computer remotely over the internet. The use of simplified Chinese in the administrative interface and overlap with previously known Chinese APT tools suggest a potential link to Chinese threat actors. The targeted geographical locations, involved in political disputes with the People's Republic of China, also hint at a politically motivated threat actor. Nezha was used in conjunction with other malware families and web shell management tools, such as Ghost RAT and AntSword.

The use of an underreported tool like Nezha suggests a capable China-nexus threat actor that has been underreported on. While Huntress could not determine the specific focus of the attacks, the sophisticated nature of the campaign and the targeted locations raise serious concerns. Further investigation is needed to understand the full extent and purpose of this cyber operation.

Read also:

Latest