The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors

    Wednesday, October 15, 2025 In: Threat Research Print

    Date: 10/15/2025

    Severity: High

    Summary

    A recent intrusion beginning in August 2025 revealed China-nexus threat actors using a technique called log poisoning to deploy a China Chopper web shell on vulnerable web servers. The attackers used AntSword for control and introduced a lesser-known tool, Nezha, to run commands and later deploy Ghost RAT. This marks the first known use of Nezha in web compromises. Over 100 machines, mainly in Taiwan, Japan, South Korea, and Hong Kong, were affected. The incident highlights how threat actors increasingly exploit publicly available tools for stealth and effectiveness.

    Indicators of Compromise (IOC) List 

    URLs/Domains

    c.mid.al

    gd.bj2.xyz

    https://rism.pages.dev/microsoft.exe

    IP Address

    54.46.50.255

    45.207.220.12

    172.245.52.169

    Hash

    f3570bb6e0f9c695d48f89f043380b43831dd0f6fe79b16eda2a3ffd9fd7ad16

    9f33095a24471bed55ce11803e4ebbed5118bfb5d3861baf1c8214efcd9e7de6

    7b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958

    82611e60a2c5de23a1b976bb3b9a32c4427cb60a002e4c27cadfa84031d87999

    35e0b22139fb27d2c9721aedf5770d893423bf029e1f56be92485ff8fce210f3

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://rism.pages.dev/microsoft.exe" or siteurl like "https://rism.pages.dev/microsoft.exe" or url like "https://rism.pages.dev/microsoft.exe" or domainname like "gd.bj2.xyz" or siteurl like "gd.bj2.xyz" or url like "gd.bj2.xyz" or domainname like "c.mid.al" or siteurl like "c.mid.al" or url like "c.mid.al"

    Detection Query 2 :

    dstipaddress IN ("54.46.50.255","45.207.220.12","172.245.52.169") or srcipaddress IN ("54.46.50.255","45.207.220.12","172.245.52.169")

    Detection Query 3 :

    sha256hash IN ("7b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958","9f33095a24471bed55ce11803e4ebbed5118bfb5d3861baf1c8214efcd9e7de6","f3570bb6e0f9c695d48f89f043380b43831dd0f6fe79b16eda2a3ffd9fd7ad16","82611e60a2c5de23a1b976bb3b9a32c4427cb60a002e4c27cadfa84031d87999","35e0b22139fb27d2c9721aedf5770d893423bf029e1f56be92485ff8fce210f3")

    Reference:    

    https://www.huntress.com/blog/nezha-china-nexus-threat-actor-tool


    Tags

    Threat ActorGhost RATRATChina-NexusTaiwanJapanSouth KoreaHong KongLog poisoningAntSwordCrown PrinceNezhaExploitMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.