Nezha Monitoring Tool Repurposed as Post-Exploitation RAT
🔍 A legitimate open-source server monitoring platform, Nezha, is being abused by threat actors as a post-exploitation remote access tool. Ontinue's Cyber Defense Center found attackers silently installing the agent to gain SYSTEM/root privileges and execute remote commands, file transfers and interactive shells. Because the software is legitimate and shows zero detections on VirusTotal, signature-based defenses often fail to flag this misuse. The campaign highlights the challenge of distinguishing benign tools from adversary activity.
