A newly identified advanced persistent threat (APT) group, dubbed NightEagle (also known as APT-Q-95), has been observed exploiting a previously undocumented zero-day vulnerability in Microsoft Exchange servers. The group’s campaign, active since at least 2023, has primarily targeted China’s military, defense, and high-technology sectors, including organizations involved in semiconductor manufacturing, quantum technology, and artificial intelligence research.
Sophisticated Attack Chain
According to security researchers from QiAnXin’s RedDrip Team, NightEagle’s operations demonstrate a high degree of technical sophistication and operational agility. The group leverages a zero-day exploit chain to gain initial access to Microsoft Exchange servers, a platform that continues to be a lucrative target for cyber-espionage due to its widespread use and sensitive data stores.
Once inside the targeted networks, NightEagle deploys a customized version of the open-source Go-based tunneling tool, Chisel. This modified utility is engineered to:
- Hard-code execution parameters and authentication credentials,
- Establish a persistent SOCKS connection to the attackers’ command-and-control (C&C) infrastructure over port 443,
- Automate intranet penetration by executing as a scheduled task every four hours.
This approach enables NightEagle to maintain long-term, stealthy access to compromised networks, facilitating ongoing intelligence collection.
Espionage-Focused Objectives
Unlike financially motivated cybercriminals or ransomware operators, NightEagle’s activities are characterized by a clear focus on strategic intelligence gathering. The group’s targeting of critical sectors within China suggests an intent to exfiltrate sensitive information related to national defense and emerging technologies.
Attribution and Operational Patterns
While the precise origins of NightEagle remain undetermined, the group’s rapid infrastructure changes and nocturnal activity patterns—primarily observed during Chinese nighttime hours—have informed its moniker. The group’s tactics, techniques, and procedures (TTPs) underscore the persistent threat posed by APT actors to organizations operating in high-value sectors.
Industry Response
The discovery of NightEagle’s campaign was presented at the CYDES 2025 conference in Malaysia, where security experts emphasized the importance of timely patching, robust monitoring, and threat intelligence sharing to counter such advanced threats. Organizations using Microsoft Exchange are urged to review their security postures, apply the latest patches, and monitor for unusual activity indicative of compromise.
