Nezha RMM and a suspicious vmtools.exe SOCKS5 proxy
A short investigation note on a host where Nezha Chinese RMM led to a mislabeled Node runtime, SOCKS5 proxy payload, and PowerShell collection script.
- Observed
- Nezha RMM
- Fake Windows Spooler service
- Mislabeled vmtools.exe Node runtime
- SOCKS5 proxy payload