A legitimate open-source server monitoring tool has been repurposed by attackers to gain full remote control of compromised systems.
According to new findings from Ontinue’s Cyber Defense Center, the activity involves Nezha, a widely used monitoring platform that provides administrators with system visibility and remote management features across Windows and Linux environments.
In this campaign, Nezha is deployed as a post-exploitation remote access tool rather than malware. Because the software is legitimate and actively maintained, it registers zero detections on VirusTotal, where 72 security vendors flagged nothing suspicious.
The agent is installed silently, only becoming visible when attackers begin issuing commands, making traditional signature-based detection ineffective.
“The weaponization of Nezha reflects an emerging modern attack strategy where threat actors systematically abuse legitimate software to achieve persistence and lateral movement while evading signature-based defenses,” said Mayuresh Dani, security research manager at Qualys.
“[In] networks where this server monitoring tool is pre-known, defender teams might even overlook this anomalous activity.”
How Nezha is Being Misused
Nezha was originally developed for the Chinese IT community and has attracted nearly 10,000 stars on GitHub.
Its architecture relies on a central dashboard that manages lightweight agents installed on monitored systems.
Those agents support command execution, file transfers and interactive terminal sessions – capabilities that are useful for administrators but equally attractive to attackers.
Ontinue researchers identified the abuse during an incident response engagement, where a bash script attempted to deploy the Nezha agent with attacker-controlled infrastructure.
The script included Chinese-language status messages and configuration details pointing to a remote dashboard hosted on Alibaba Cloud infrastructure, located in Japan.
While the language suggests a Chinese-speaking author, Ontinue cautioned that such indicators are easy to falsify and should not be used for attribution.
What Testing Revealed
In controlled testing, Ontinue confirmed that the Nezha agent runs with elevated privileges by design.
On Windows systems, it provided an interactive PowerShell session as NT AUTHORITY\SYSTEM, while Linux deployments resulted in root access. No exploitation or privilege escalation was required.
“What’s concerning is that the Nezha agent provides SYSTEM/root-level access,” Dani said.
“Though it isn’t malicious by design, it helps threat actors repurpose the use of this legitimate tool, cut development time to reliably execute remote commands, access remote files and access the compromised system using interactive shells.”
Read more on post-exploitation detection: Attacker “Patches” Vulnerability Post Exploitation to Lock Out Competition
A review of the exposed dashboard associated with the incident suggested that hundreds of endpoints may have been connected, highlighting the scale such abuse can reach when a single shared secret is compromised.
Ontinue said that distinguishing malicious intent from legitimate use remains a persistent challenge.
As Dani noted, “we must stop viewing tools as either malicious or benign, and instead focus on usage patterns and context.”