The Reveal Platform
Intel Name: The crown prince, nezha: a new tool favored by china-nexus threat actors
Date of Scan: October 15, 2025
Impact: High
Summary: A recent intrusion beginning in August 2025 revealed China-nexus threat actors using a technique called log poisoning to deploy a China Chopper web shell on vulnerable web servers. The attackers used AntSword for control and introduced a lesser-known tool, Nezha, to run commands and later deploy Ghost RAT. This marks the first known use of Nezha in web compromises. Over 100 machines, mainly in Taiwan, Japan, South Korea, and Hong Kong, were affected. The incident highlights how threat actors increasingly exploit publicly available tools for stealth and effectiveness.
