Once Nezha was active, the attackers ran an interactive PowerShell session to create Windows Defender exclusions on key system folders. This allowed them to drop and run a Ghost RAT variant from “C:WindowsCursors”. The RAT executable also installed a persistence mechanism and used a domain generation algorithm (DGA) for command & control (C2).
Huntress’ analysis showed the Ghost RAT implant had a multi-stage loader, dynamic API resolution, and command blocks consistent with China-nexus APT activities. The team was able to contain the August 2025 incident before attackers could cause significant damage.
“Fortunately, Huntress was able to isolate the system and remediate the incident by removing the web shell, Nezha agent, and malware before the attacker could carry out any further objectives,” the researchers added. Huntress published a set of indicators of compromise (IOCs) tied to the intrusion, including the file name and path for the web shell, Nezha agent, and the Ghost RAT Payload. This incident fits a broader 2025 pattern of threat actors abusing legitimate admin and monitoring tools for persistence on networks.
