A previously unknown advanced persistent threat (APT) group, dubbed “NightEagle” (also known as APT-Q-95), has been actively exploiting a zero-day vulnerability in Microsoft Exchange servers to target China’s military and high-tech sectors. Cybersecurity researchers from QiAnXin’s RedDrip Team unveiled the sophisticated campaign at the CYDES 2025 conference in Malaysia, highlighting the group’s rapid infrastructure changes and focused intelligence gathering objectives.
NightEagle’s operations, believed to have commenced in 2023, have specifically targeted entities involved in chip semiconductors, quantum technology, artificial intelligence, and the defense industry. The primary goal of these intrusions appears to be espionage, aiming to exfiltrate sensitive intelligence from high-value Chinese organizations.
According to QiAnXin, the attackers leveraged a novel zero-day flaw in Microsoft Exchange, enabling them to obtain the machineKey and gain unauthorized access to Exchange servers. This critical vulnerability allowed NightEagle to deserialize the Exchange server, facilitating the implantation of a custom Trojan, a modified version of the open-source Go-based Chisel utility, into the Internet Information Server (IIS) service. This Trojan was configured to automatically execute every four hours, establishing a SOCKS connection to a command-and-control (C2) server and mapping it to a specified port for data exfiltration and further network penetration. The compromise effectively allowed the attackers to remotely read mailbox data from any user on the affected Exchange server.
The naming of “NightEagle” by QiAnXin is a nod to the group’s perceived speed and its operational hours, which largely fall between 9 p.m. and 6 a.m. Beijing time, suggesting a possible origin from outside the Asia-Pacific region, with some speculation pointing towards North America.
This latest discovery underscores the persistent threat posed by APT groups exploiting critical vulnerabilities in widely used software. Microsoft Exchange, a cornerstone of many enterprise and government communication networks, has historically been a prime target for state-sponsored threat actors due to the wealth of sensitive information it holds. Organizations are urged to remain vigilant, implement robust patch management practices, and deploy advanced threat detection solutions to defend against such evolving and targeted cyberattacks. Investigations into the full extent of NightEagle’s activities and victim impact are ongoing.
![Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]](https://sumtrix.com/wp-content/uploads/2025/06/30-12-120x86.jpg "Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]")
