A legitimate and widely used open source server monitoring tool has been repurposed by attackers to gain complete remote control of compromised systems.
According to findings from the Ontinue Cyber Defense Center, the activity involves Nezha, a popular monitoring platform that offers administrators system visibility and remote management features in Windows and Linux environments.
In this campaign, Nezha is deployed as a remote access tool (RAT) in the post-exploitation phase, instead of being a traditional malware. Since the software is legitimate and actively maintained, it records zero detections on VirusTotal, where 72 security vendors detected nothing suspicious. The agent is installed silently and only becomes visible when attackers begin issuing commands, making traditional signature-based detection ineffective.
Mayuresh Dani, security research manager at Qualys, notes that this “instrumentalization of Nezha reflects an emerging modern attack strategy where threat actors systematically abuse legitimate software to achieve persistence and lateral movement while evading signature-based defenses.” In networks where this monitoring tool is known, defense teams might even miss this anomalous activity.
How Nezha is Abused
Nezha was originally developed for the Chinese IT community and has gained popularity on GitHub. Its architecture is based on a central panel that manages lightweight agents installed on the monitored systems.
These agents admit:
- Command execution.
- File transfer.
- Interactive terminal sessions.
These capabilities are useful to administrators, but equally attractive to attackers.
Ontinue researchers identified the abuse during an incident response engagement, where a bash script attempted to deploy the Nezha agent with infrastructure controlled by the attacker. The script included status messages in Chinese and configuration details that pointed to a remote panel hosted on Alibaba Cloud infrastructure, located in Japan. Although the language suggests a Chinese-speaking author, Ontinue cautioned that such indicators are easy to falsify and should not be used for attribution.
Elevated Privileges by Design
In controlled testing, Ontinue confirmed that the Nezha agent runs with elevated privileges by design.
- On Windows systems, provided an interactive PowerShell session as NT AUTHORITY\SYSTEM.
- On Linux implementations, it resulted in root access.
No additional exploitation or privilege escalation was required. “While not malicious by design, it helps threat actors repurpose the use of this legitimate tool, reduce development time to reliably execute remote commands, access remote files, and access the compromised system using interactive shells,” Dani commented.
A review of the exposed dashboard associated with the incident suggested that hundreds of endpoints could have been connected, highlighting the scale such abuse can reach when a single shared secret is compromised.
Ontinue emphasized that distinguishing malicious intent from fair use remains a persistent challenge. As Dani noted, “we must stop viewing tools as malicious or benign, and instead focus on usage patterns and context.”
Conclusion
Using legitimate tools for malicious purposes is a growing tactic in the threat landscape. Detecting these types of attacks requires security teams to move from signature-based detection to a more contextual and behavioral approach. Monitoring the usage patterns and unusual behavior of systems administration tools, even those considered “trusted,” is crucial to identifying and responding to threat actors who abuse the inherent trust of legitimate tools.
References
*Ontinue’s Cyber Defense Center findings.
- Mayuresh Dani, Security Research Manager at Qualys.
- Related article: Attacker “Patches” Vulnerability Post Exploitation to Lock Out Competition.