NightEagle APT Targets China Via Zero-Day Exchange Exploits

HomeNews* A new threat group known as NightEagle (APT-Q-95) has targeted Microsoft Exchange servers in China using zero-day vulnerabilities.

• The cyber attacks focus on government, defense, and technology organizations, especially in sectors like semiconductors, quantum technology, Artificial Intelligence, and military research.
• NightEagle uses a modified version of the open-source Chisel tool, delivered through a custom .NET loader implanted into Microsoft Internet Information Server (IIS).
• The attackers exploit an Exchange zero-day to obtain key credentials, allowing unauthorized access and data extraction from targeted servers.
• Security researchers suggest the threat actor operates at night in China and may be based in North America, based on observed attack times. Researchers have identified a previously unknown cyber espionage group, NightEagle, actively targeting Microsoft Exchange servers in China. This threat actor uses a chain of zero-day exploits to infiltrate organizations in the government, defense, and advanced technology sectors.

• Advertisement - According to QiAnXin’s RedDrip Team, NightEagle has targeted companies in fields such as semiconductors, quantum technology, artificial intelligence, and military R&D. The group has operated since 2023, moving quickly between different network infrastructures and frequently updating its methods.

The research team began their investigation after finding a custom version of the Chisel penetration tool on a customer system. This tool was set to run automatically every four hours. Analysts explained in their report that the attackers altered the open-source Chisel tool, setting fixed usernames, passwords, and connecting specific ports between the compromised network and their command server.

The initial Malware is delivered through a .NET loader, which is embedded in the Internet Information Server (IIS) of the Exchange server. The attackers leverage an undisclosed flaw—a zero-day vulnerability—to retrieve the server’s machineKey credential. This lets them deserialize and load additional malware into any Exchange server of a compatible version, gaining remote access and the ability to read mailbox data.

A spokesperson for QiAnXin stated, “It seems to have the speed of an eagle and has been operating at night in China,” referencing the group’s operating hours and naming rationale. Based on activity patterns, investigators suspect NightEagle may be based in North America because most attacks occur between 9 p.m. and 6 a.m. Beijing time.

The findings were revealed at CYDES 2025, Malaysia’s National Cyber Defence & Security Exhibition and Conference. QiAnXin has notified Microsoft about the research for further action.

Previous Articles:

• BRICS to Launch Multilateral Guarantee Fund at Rio Summit
• Eurex Clearing Launches DLT-Based Collateral Solution for Margin
• Droitwich man faces 39 fraud charges over £206k charity theft
• Bitcoin Nears Record High as Pro-Crypto Bills Hit U.S. Congress
• Dormant Bitcoin Whales Move $3B After 14 Years, Sparking Buzz

• Advertisement -