Silent Sabotage: NightEagle APT Breaches Industrial Networks Using Zero-Day Exploits and Evolving Malware

A sophisticated cyber espionage campaign attributed to the Advanced Persistent Threat (APT) group “NightEagle” has been revealed, highlighting the evolving threat landscape facing high-tech industries, semiconductors, quantum technologies, and artificial intelligence sectors in China.

Since 2023, researchers at Qian Pangu, supported by Qianxin’s suite of security tools, have tracked NightEagle’s activities, uncovering the group’s mastery in leveraging unknown Exchange zero-day vulnerabilities and deploying custom malware across targeted networks.

NightEagle, internally designated as APT-Q-95, demonstrates an unprecedented level of operational security and infrastructure agility.

The group invests heavily in acquiring vast network assets, including VPS servers and domain names, and uniquely assigns a dedicated attack domain to each of its targets.

These domains exhibit rapid, frequent IP changes, and resolve to non-routable addresses like 127.0.0.1 during inactive periods to mask the location of command-and-control (C2) servers.

Analysis indicates attacks predominantly occur during night hours in China, originating likely from North America, and are precisely timed to avoid detection.

Zero-Day Weapons

The attack chain typically begins with a disguised domain such as synologyupdates.com masquerading as a legitimate Synology NAS service.

Investigation revealed repeated DNS requests from compromised internal hosts, with further analysis uncovering a custom-compiled “Chisel” malware operating under the guise of SynologyUpdate.exe.

This tool, written in Go, establishes an authenticated, persistent SOCKS tunnel to the C2 infrastructure, triggered by regular scheduled tasks.

More alarmingly, forensic analysis on affected Exchange servers exposed a fileless “memory horse” malware, injected into the process memory to avoid detection and removed by attackers post-operation.

The loader, a precompiled ASP.NET DLL file (e.g., App_Web_cn*.dll), is triggered by crafted requests to seemingly innocuous virtual directories (like /owa/auth/lang/cn*.aspx), enabling attackers to execute further malicious code and maintain persistence.

Unprecedented Exploitation of Exchange 0-Day

Qianxin’s network and endpoint defense systems (including Tianyan NDR, AISOC, and EDR) confirmed that NightEagle leverages an unpatched, previously unknown Exchange server vulnerability to extract critical machine keys, enabling arbitrary deserialization, malware implantation, and unrestricted email data exfiltration.

Attackers systematically brute-force Exchange version numbers to ensure compatibility, then silently collect sensitive communications from high-value targets over extended periods.

NightEagle’s selection of targets aligns perceptibly with geopolitical developments, focusing on emerging sectors such as AI and large-language models.

Custom domain names (e.g., comfyupdate.org for AI tools) serve as tailored entry points for each victim.

Domain registration patterns, heartbeat schedules, and C2 IP addresses, often linked to U.S.-based cloud providers, further distinguish their operations.

According to the Report, Qianxin has publicized the group’s Indicators of Compromise (IOCs) and developed specialized detection and remediation tools, highlighting the crucial role of integrated threat intelligence, automated response, and multi-source log correlation in defending against top-tier APT threats.

Organizations are urged to inspect Exchange server directories for anomalous DLLs, review IIS logs for suspicious URL or User-Agent patterns, and monitor for connections to the group’s identified domains.

Key Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates