TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

The Crown Prince, Nezha | Huntress

2025-10-15 · Read original ↗

ATT&CK techniques detected

23 predictions
T1059.001PowerShell
96%
“to an attack that deployed this nezha agent, given that the first and last seen times for some of the systems with this nezha agent were only a few hours apart. figure 21 : first and last seen times from nezha agent are potentially indicative of a swift response process taking pl…”
T1505.003Web Shell
96%
“one member and no public repositories. figure 11 : screenshot of an empty github account for moedove it ’ s possible that moedove llc is a very small operation, potentially run by a small number of individuals out of mainland china. at the time of writing moedove llc has only bee…”
T1505.003Web Shell
96%
“it, and a system running fnos, a nas operating system frequently used within mainland china. the logon page for the nas presented an interesting, unique string : cuoxianxu figure 34 : screenshot of fnos hosted on domain used by the threat actor conclusion this blog provides a fas…”
T1505.003Web Shell
95%
“string passed to it as php code. here, it ' s executing whatever input is provided via the $ name parameter. - an instance of $ me is created and ddd is called with $ _ request [ 1 ] as the argument, which becomes the $ name parameter. in simple terms, this code takes whatever is…”
T1583.001Domains
92%
“services entry of moedove llc domains known to be assigned to ip ranges from this asn appear suspicious, and whilst not directly tied to the intrusion seen, are definitely interesting to note, particularly where they appear to be using a domain generation algorithm ( 6 numerical …”
T1583.001Domains
89%
“bj2 [. ] xyz : 53762 : sqllite, which corresponds to the domain, port, and service name used by the malware. the blue box highlights a connection to 45. 207. 220 [. ] 12. this is the same ip we observed operating the web shell through antsword. looking at the a records for gd [. …”
T1505.003Web Shell
89%
“##acing websites - performing strategic website compromises that are then used to target a specific set of individuals these attacks may come from bots and opportunistic threat actors, but sometimes they can be far more targeted. beginning in august 2025, huntress discovered an i…”
T1055.001Dynamic-link Library Injection
87%
“in 2019. fortunately, huntress was able to isolate the system and remediate the incident by removing the web shell, nezha agent, and malware before the attacker could carry out any further objectives. ghost rat implant analysis stage 1 ( loader ) : the initial stage is a small lo…”
T1583.003Virtual Private Server
82%
“the crown prince, nezha | huntress update : 10 / 15 / 25 @ 1pm et an anonymous individual from mainland china who is said to be familiar with the activity, detailed here, reached out to huntress after our original publication. according to the individual, the activity observed wa…”
T1055.001Dynamic-link Library Injection
82%
“to an attack that deployed this nezha agent, given that the first and last seen times for some of the systems with this nezha agent were only a few hours apart. figure 21 : first and last seen times from nezha agent are potentially indicative of a swift response process taking pl…”
T1190Exploit Public-Facing Application
82%
“and emerging publicly available tooling as it becomes available to achieve their goals. due to this, it ' s a stark reminder that while publicly available tooling can be used for legitimate purposes, it ’ s also commonly abused by threat actors due to the low research cost, abili…”
T1071.001Web Protocols
67%
“different person. the latter scenario is common among threat groups with distinct roles and responsibilities in pursuit of a larger objective. figure 5 : post commands for the attacker ’ s c2 server sending instructions, as seen in the logs each of these post requests represents …”
T1190Exploit Public-Facing Application
57%
“##ies. this incident highlights the requirement to ensure that public - facing applications are patched, hardened to ensure they require authentication wherever possible, and that these actions also apply to test environments as much as production ones. by understanding the step …”
T1055.001Dynamic-link Library Injection
48%
“first stage had another executable embedded in that data section, this one has the final ghost rat pe stored backwards in the data section. it is important to note that the executable is not complete as it is missing the config, which is patched in by stage 2. figure 30 : functio…”
T1059.003Windows Command Shell
47%
“and requires a number of steps. the attacker first enabled general query logging, so that any queries were logged to disk. they then issued a query containing their one - liner php web shell, causing it to be recorded in the log file. crucially, they set the log file ’ s name wit…”
T1204.002Malicious File
47%
“59 : 02 - x. exe executed from c : \ windows \ cursors \ directory. figure 23 : process tree of malicious executable deployed by threat actor analysis of x. exe revealed it was likely a variant of ghost rat ( also known as gh0st rat ). the malware contained communication protocol…”
T1033System Owner/User Discovery
47%
“was a simple whoami command to understand what user privileges the web server was operating under. after this, the threat actor changed the working directory for the antsword virtual terminal to c : \ windows \ cursors, which is a legitimate directory that exists on windows and i…”
T1059.004Unix Shell
45%
“seen when using the virtual terminal capability of antsword as shown below. figure 13 : code block showing core antsword virtual terminal command - line indicators specifically, the following variables are used in the command above : - path : c : \ windows \ cursors \ - cmd : cur…”
T1614.001System Language Discovery
44%
“incident. the threat actor used an aws - hosted ip address in hong kong to access this server. - ip : 54. 46. 50 [. ] 255 - asn : 16509 - isp : amazon. com inc. - service : datacenter immediately upon accessing the admin interface, the threat actor set the language to simplified …”
T1190Exploit Public-Facing Application
36%
“/ phpmyadmin / server _ sql. php? lang = zh _ cn & ajax _ request = true & ajax _ page _ request = true & _ nocache = 175452726217376975 & token = 6f336f372c5a642b57413363265e7d7e http / 1. 1 " 200 4652 the threat actor proceeded to interactively run six sql commands as indicated…”
T1505.003Web Shell
34%
“and requires a number of steps. the attacker first enabled general query logging, so that any queries were logged to disk. they then issued a query containing their one - liner php web shell, causing it to be recorded in the log file. crucially, they set the log file ’ s name wit…”
T1583Acquire Infrastructure
31%
“the crown prince, nezha | huntress update : 10 / 15 / 25 @ 1pm et an anonymous individual from mainland china who is said to be familiar with the activity, detailed here, reached out to huntress after our original publication. according to the individual, the activity observed wa…”
T1059.003Windows Command Shell
31%
“one member and no public repositories. figure 11 : screenshot of an empty github account for moedove it ’ s possible that moedove llc is a very small operation, potentially run by a small number of individuals out of mainland china. at the time of writing moedove llc has only bee…”

Summary

Beginning in mid-2025, Huntress discovered a new tool being used to facilitate webserver intrusions known as Nezha, which up until now hasn’t been publicly reported on. This was used in tandem with other families of malware and web shell management tools such as Ghost RAT and AntSword.