Unveiling NightEagle: A New Threat in Cyber Espionage

Cybersecurity experts have recently identified a previously unknown threat actor named NightEagle, also known as APT-Q-95. This group has been actively targeting Microsoft Exchange servers through a zero-day exploit, primarily focusing on government, defense, and technology sectors within China.

Background on NightEagle

The cybersecurity research team at QiAnXin’s RedDrip has reported that NightEagle has been operational since early 2023. Their unique approach involves rapidly changing network infrastructure, which poses a significant challenge to detection and mitigation efforts. These findings were shared at the CYDES 2025 conference, part of Malaysia’s National Cyber Defence & Security Exhibition and Conference, held from July 1 to 3, 2025.

The Name Behind the Threat

QiAnXin aptly named the threat actor NightEagle due to their swift operation, akin to the agile predator. Their attacks typically occur during nighttime hours, aligning with reports that indicate a pattern of activity from 9 p.m. to 6 a.m. Beijing time. This has led researchers to speculate that the attacks may originate from North America.

Targeted Industries and Goals

NightEagle has set its sights on various high-value sectors, including high-tech industries, semiconductor manufacturing, quantum technology, artificial intelligence, and military applications. The primary objective of these attacks seems to be intelligence gathering, raising concerns for entities involved in these critical areas.

Discovery of Custom Tools

The investigations by QiAnXin were initiated following the detection of a custom version of the Chisel utility, a Go-based tool intended for intranet penetration. This modified version was configured to launch automatically every four hours on a client endpoint. Researchers noted that the source code had been altered, with execution parameters hard-coded to facilitate seamless exploitation.

Technical Overview of the Attack

The attack leverages a .NET loader, which is hidden within the Internet Information Server (IIS) component of the Microsoft Exchange Server. Further analysis revealed the existence of a zero-day vulnerability that enables attackers to access the machineKey. This key is pivotal, as it allows unauthorized entry into the Exchange Server.

Through this method, NightEagle can deserialize the Exchange server, implanting a Trojan capable of infiltrating any compliant server. This action gives attackers remote access to mailbox data, raising serious concerns about data privacy and security.

Closing Insights on the Threat Landscape

The emergence of NightEagle highlights the evolving nature of cyber threats and the persistent danger posed by actors targeting critical infrastructure. The quick adaptability of this group underscores the ongoing challenges facing organizations in maintaining robust cybersecurity measures. As the situation unfolds, QiAnXin and other cybersecurity professionals continue to monitor developments closely.

Stay informed on the latest in cybersecurity and follow updates from reliable sources as this situation evolves.