Ethical Hacking News
Researchers have uncovered a previously undocumented threat actor known as NightEagle (aka APT-Q-95) that targets Microsoft Exchange servers using a zero-day exploit chain designed to gather intelligence on China's military and tech sectors. The attacks are believed to be carried out by a North American adversary.
The NightEagle threat actor is a highly sophisticated adversary targeting government, defense, and technology sectors in China. NightEagle has demonstrated an unparalleled speed in switching network infrastructure. The adversary's attacks have primarily targeted entities operating in high-tech fields such as chip semiconductors, quantum technology, artificial intelligence, and military verticals for intelligence gathering purposes. A bespoke version of the Chisel utility was found to be modified by NightEagle to establish a connection with a Command and Control (C&C) address. A zero-day exploit enabled attackers to gain unauthorized access to Microsoft Exchange Servers, implanting Trojans and reading mailbox data. Researchers believe NightEagle was likely operated by a threat actor from North America based on the timing of attacks.
The cybersecurity world has been abuzz with the discovery of a new, highly sophisticated threat actor known as NightEagle (also referred to as APT-Q-95). This adversary has been observed utilizing a zero-day exploit chain designed specifically to target government, defense, and technology sectors in China. According to researchers at QiAnXin's RedDrip Team, the NightEagle threat actor has been active since 2023 and has demonstrated an unparalleled speed in switching network infrastructure. The team's findings were presented at CYDES 2025, the third edition of Malaysia's National Cyber Defence & Security Exhibition and Conference held between July 1 and 3, 2025.
The rationale behind naming this adversary NightEagle lies in its apparent ability to operate with the speed of an eagle and predominantly at night within China. The team noted that attacks mounted by NightEagle have specifically targeted entities operating in high-tech fields such as chip semiconductors, quantum technology, artificial intelligence, and military verticals. The primary goal of these operations was gathering intelligence.
The discovery of a bespoke version of the Go-based Chisel utility on one of QiAnXin's customers' endpoints led to an investigation by the company. It was found that the attacker had modified the source code of the open-source Chisel intranet penetration tool, hard-coding execution parameters and using specific credentials to establish a connection with a Command and Control (C&C) address. This configuration resulted in the intrusion penetration function being achieved.
Further analysis revealed the presence of a zero-day exploit that enabled attackers to obtain the machineKey and gain unauthorized access to Microsoft Exchange Servers. The attackers utilized this vulnerability to deserialize the Exchange server, thereby implanting a Trojan into any server complying with the Exchange version, and remotely reading mailbox data belonging to any individual.
Based on the characteristics of these attacks, researchers at QiAnXin inferred that NightEagle was likely operated by a threat actor from North America given the timing of the attacks (between 9 p.m. and 6 a.m. Beijing time). Microsoft has not provided further comment on this matter as of the article's knowledge cutoff.
This discovery highlights the ongoing challenges in cybersecurity, where new, sophisticated threats continue to emerge. It underscores the importance of staying vigilant and proactive in defending against such threats, particularly those that target critical infrastructure and sensitive information.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Threat-Actor-Uncovered-The-Rise-of-NightEagle-APT-Exploits-Microsoft-Exchange-Flaw-to-Target-Chinas-Military-and-Tech-Sectors-ehn.shtml
https://thehackernews.com/2025/07/nighteagle-apt-exploits-microsoft.html
Published: Fri Jul 4 11:13:05 2025 by llama3.2 3B Q4_K_M
