Open-source tool Nezha used as post-exploitation remote access trojan

Attackers were observed using Nezha, a legitimate open-source monitoring tool, as a post-exploitation remote access trojan (RAT)

In a Dec. 22 blog post, Ontinue researchers said attackers leverage Nezha because it offers SYSTEM/root level access, file management, and an interactive web terminal.

According to the Ontinue researchers, VirusTotal shows 0/72 detections because it isn’t malware — it’s legitimate software in which installation is silent and detection only happens when attackers execute commands through the agent in Nezha.

“Attackers favor legitimate tools because they evade signature detection, blend with normal activity, and reduce development effort,” wrote the researchers. “Defenders must respond by focusing on behavior, context, and anomaly detection rather than relying solely on known-bad indicators.”

Mayuresh Dani, security research manager, at the Qualys Threat Research Unit, said the weaponization of Nezha reflects an emerging modern attack strategy in which threat actors systematically abuse legitimate software to achieve persistence and lateral movement while evading signature-based defenses.

In networks where this server monitoring tool is pre-known, Dani said defender teams might even overlook this anomalous activity. It’s not novel at all, said Dani, as this behavior has been seen in the past with the usage of living-off- the-land (LOTL) techniques and remote monitoring and management (RMM) tools such as TeamViewer.

“What's concerning is that the Nezha agent delivers SYSTEM/root-level access,” said Dani. “Although it isn't malicious by design, it helps threat actors repurpose the use of this legitimate tool, cut development time to reliably execute remote commands, access remote files and access the compromised system using interactive shells. In short, we must stop viewing tools as either malicious or benign, and instead focus on usage patterns and context.”

Dani said security teams should do the following;