Log Injection | Breaking Cybersecurity News | The Hacker News

Threat actors with suspected ties to China have turned a legitimate open-source monitoring tool called Nezha into an attack weapon, using it to deliver a known malware called Gh0st RAT to targets. The activity, observed by cybersecurity company Huntress in August 2025, is characterized by the use of an unusual technique called log poisoning (aka log injection) to plant a web shell on a web server. "This allowed the threat actor to control the web server using ANTSWORD , before ultimately deploying Nezha, an operation and monitoring tool that allows commands to be run on a web server," researchers Jai Minton, James Northey, and Alden Schmidt said in a report shared with The Hacker News. In all, the intrusion is said to have likely compromised more than 100 victim machines, with a majority of the infections reported in Taiwan, Japan, South Korea, and Hong Kong. The attack chain pieced together by Huntress shows that the attackers, described as a "technically prof...