“NightEagle” APT Group Soars Over China’s Critical Tech: Zero-Days, Exchange Exploits, and Tailored Espionage

QiAnXin’s RedDrip team has exposed the full-scale cyber operations of a shadowy state-aligned APT group dubbed NightEagle (APT-Q-95). With lightning-fast operational infrastructure, zero-day Exchange exploits, and a highly adaptive malware arsenal, this group is ruthlessly targeting China’s most strategic industries.

“Based on the characteristics of this APT Group’s ultra-fast switching of network infrastructure, it seems to have the speed of an eagle and has been operating at night in China all along,” the report notes. Hence the codename: NightEagle.

NightEagle’s targets are a who’s who of strategic national value: semiconductors, AI, quantum tech, military research, and even large model AI application systems. These attacks aren’t smash-and-grab jobs—they’re precision-engineered campaigns focused on espionage and silent infiltration.

“This Group has long targeted top companies and institutions… The main purpose is to steal intelligence. After stealing the intelligence, it will quickly leave the scene and erase the traces,” the report states.

NightEagle’s operations blend custom malware, open-source tooling, and fileless persistence. One of the first indicators was a suspicious domain: synologyupdates.com. What appeared to be a benign NAS-related domain actually led to the discovery of a Chisel-based tunneling implant, cleverly scheduled to activate every four hours.

“After analysis, it was found that this process was a Chisel family malware compiled for the customized Go language… to achieve internal network penetration.”

The attackers even modified .NET-based ASP.NET precompiled DLLs—files like App_Web_cn274.aspx.dll—as fileless memory loaders. These implants live in the IIS service memory and execute malware only when their corresponding virtual URL endpoints are hit.

“It will not land on the disk, thus avoiding being detected by antivirus software… The loader is designated and named App_Web_cn*.dll.”

Perhaps the most alarming discovery is the group’s use of an unknown Exchange zero-day exploit chain. The attackers successfully exfiltrated the machineKey from Exchange servers, enabling them to deserialize arbitrary objects and execute malware remotely—at will.

“Through this Key, deserialization operations were performed on the Exchange server… allowing remote reading of email data from any individual.”

NightEagle doesn’t just plant one backdoor—they try every known Exchange version until they get in, making their exploit chain impressively resilient and adaptive.

Each victim is stalked with unique infrastructure—custom domain names, fast-flipping IPs, and cloud-based C2 (DigitalOcean, Akamai, etc.). According to QiAnXin:

“Each domain name was only used to attack one unit, and the malware of each attacked unit were not consistent.”

This level of customization and operational cost suggests serious funding. The use of domain registrars like Tucows, along with heartbeat-beaconing C2 IPs (e.g., 127.0.0.1, 114.114.114.114), further frustrates attribution and detection.

One of the more curious details is that all malware activity occurs between 9 p.m. and 6 a.m. Beijing time—and never outside those hours.

“They never worked overtime. Therefore, they would not steal data after work hours.”

QiAnXin speculates the actors operate from a North American time zone, which would neatly align with this nocturnal behavior. Geopolitical motivations? All signs point to yes.

To aid defenders, QiAnXin has released a self-check tool for infected Exchange servers and memory analysis. You can download it here.

Related Posts:

• North Korean APT’s Stealth Attack on Open-Source Ecosystems
• QiAnXin Uncovers New Kimsuky Malware Campaign
• Non-Malware (or Fileless) Attack: five knowledge points
• Fileless AsyncRAT Campaign Targets German Users with Stealthy PowerShell Payload
• New Trojan “MiyaRat” Unleashed by Bitter Group (APT-Q-37)