Chinese State-Backed Actors Exploit Open-Source Tool in Massive Cyberattack
Cybersecurity experts have revealed a series of attacks involving a legitimate open-source server monitoring tool, Nezha 2, used for malicious purposes. The incidents, discovered in August 2025, targeted over 100 systems in Taiwan, Japan, South Korea, and Hong Kong, with evidence pointing towards Chinese state-backed actors.
The attacks began with the compromise of vulnerable web applications, followed by the deployment of Nezha 2 to control the servers. This allowed the threat actors to remotely manage the compromised systems, similar to using a TV remote. The use of simplified Chinese in the administrative interface of the targeted systems further suggested Chinese involvement.
Previous activities of the threat actors, including the use of Ghost RAT and AntSword malware, also attributed to Chinese APT groups, strengthened this suspicion. The primary targets - Taiwan, Japan, and South Korea - are all engaged in political disputes with China, indicating a politically motivated threat actor rather than financially driven cybercriminals.
Researchers at Huntress identified over 100 potential victims, with some entities responding swiftly to the attacks. The speed and lack of sophisticated tradecraft in the attacks further supported the hypothesis of a politically motivated actor.
The misuse of the Nezha 2 monitoring tool for malicious activities, alongside other malware families and web shell management tools, highlights the evolving threat landscape. With over 100 systems compromised, the incidents underscore the need for robust cybersecurity measures and international cooperation in attributing and responding to state-backed cyber threats.
