Ransomware, Malware, Network Security, Third-party code

December 24, 2025

(Adobe Stock)

Attackers were observed using Nezha, a legitimate open-source monitoring tool, as a post-exploitation remote access trojan (RAT)

In a Dec. 22 blog post, Ontinue researchers said attackers leverage Nezha because it offers SYSTEM/root level access, file management, and an interactive web terminal.

According to the Ontinue researchers, VirusTotal shows 0/72 detections because it isn’t malware — it’s legitimate software in which installation is silent and detection only happens when attackers execute commands through the agent in Nezha.

“Attackers favor legitimate tools because they evade signature detection, blend with normal activity, and reduce development effort,” wrote the researchers. “Defenders must respond by focusing on behavior, context, and anomaly detection rather than relying solely on known-bad indicators.”

Mayuresh Dani, security research manager, at the Qualys Threat Research Unit, said the weaponization of Nezha reflects an emerging modern attack strategy in which threat actors systematically abuse legitimate software to achieve persistence and lateral movement while evading signature-based defenses.

In networks where this server monitoring tool is pre-known, Dani said defender teams might even overlook this anomalous activity. It’s not novel at all, said Dani, as this behavior has been seen in the past with the usage of living-off- the-land (LOTL) techniques and remote monitoring and management (RMM) tools such as TeamViewer.

“What’s concerning is that the Nezha agent delivers SYSTEM/root-level access,” said Dani. “Although it isn’t malicious by design, it helps threat actors repurpose the use of this legitimate tool, cut development time to reliably execute remote commands, access remote files and access the compromised system using interactive shells. In short, we must stop viewing tools as either malicious or benign, and instead focus on usage patterns and context.”

Dani said security teams should do the following;

Inventory all RMM and remote access tools deployed across their infrastructure. Configure monitoring tools for behavioral detection with real-time alerting. Establish "lifetime" restrictions on the usage of RMM tools to prevent malicious reuse.

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related

New Shai Hulud malware variant examined

SC StaffDecember 24, 2025

Over 25,000 repositories and hundreds of npm packages have already been impacted by the new Shai Hulud malware campaign that automates developer environment compromise, SiliconANGLE reports.