Chinese Threat Actors Weaponize Open-Source Nezha Tool to Deliver Gh0st RAT via Log Poisoning

In August 2025, cybersecurity firm Huntress observed a sophisticated attack campaign attributed to Chinese threat actors. The attackers weaponized the legitimate open-source surveillance tool Nezha to deliver the Gh0st RAT malware. This campaign employed an unusual technique known as log poisoning or log injection to implant a web shell on targeted web servers. The use of a trusted open-source tool highlights the challenges in detecting malicious activities that leverage legitimate software. Log poisoning, a technique that involves injecting malicious content into log files, allows attackers to execute arbitrary commands when logs are accessed, thereby maintaining persistent access to compromised systems. This incident underscores the evolving tactics of threat actors, particularly those linked to nation-state activities, who are increasingly employing stealthy and persistent attack methods. For cybersecurity professionals, this incident serves as a reminder of the importance of monitoring open-source tools, ensuring log file integrity, and deploying advanced threat detection systems. Organizations should implement robust logging and monitoring solutions to detect log tampering and educate staff about the risks associated with open-source tools. Additionally, behavioral analysis and anomaly detection can help identify unusual activities indicative of malware like Gh0st RAT. The use of Gh0st RAT, a well-known remote access trojan, further emphasizes the need for vigilance and proactive defense measures. This attack demonstrates the necessity for continuous monitoring and the adoption of advanced security measures to counteract sophisticated threats.