Researchers spot fast-moving group at CYDES 2025

Security investigators from the RedDrip Team at Chinese cybersecurity giant QiAnXin have unmasked a previously unreported advanced-persistent-threat (APT) crew they have dubbed “NightEagle,” also tracked as APT-Q-95. The team laid out its findings this week at CYDES 2025, Malaysia’s National Cyber Defence & Security Exhibition and Conference, which ran in Kuala Lumpur from 1 to 3 July 2025.

NightEagle, active since at least early 2023, has built an attack chain that abuses a never-before-seen flaw in Microsoft Exchange Server. According to the researchers, the operators strike mainly between 9 p.m. and 6 a.m. Beijing time—a pattern that inspired the “night” half of their nickname—while the “eagle” reference reflects the speed with which they rotate command-and-control (C2) systems. Servers and domains tied to the campaign have been replaced so quickly that tracking infrastructure has proven unusually tricky.

Military-Grade Espionage Aimed at China’s Cutting-Edge Sectors

The campaign’s victims sit squarely in China’s strategic industries. Companies and institutes working on semiconductors, quantum computing, artificial intelligence, and advanced weapons systems figure prominently among the targets, as do government agencies. RedDrip analysts say the overarching goal is straightforward espionage: siphoning off research, intellectual property, and sensitive emails that could confer both commercial and military advantages.

During an incident-response engagement, the team discovered a customised build of Chisel, an open-source tool written in Go that is often used for moving data through network firewalls. The version found on the compromised host had been heavily altered. Key settings—such as credentials, destination servers, and port mappings—were hard-coded, leaving whoever deployed it free from having to pass parameters on the command line. A scheduled task launched the program every four hours, guaranteeing the backdoor stayed alive even if defenders removed it manually.

QiAnXin’s investigators traced the foothold back to a .NET-based loader that burrowed into the Internet Information Services (IIS) component of Microsoft Exchange. By abusing a brand-new vulnerability, the loader snatched the server’s machineKey, a secret value Exchange uses to sign and encrypt data. With that key in hand, NightEagle could deserialize malicious payloads inside the Exchange process itself, implant web shells, and ultimately read or forward any mailbox hosted on the server—without ever needing real user credentials.

Zero-Day Gives Attackers Free Rein

Microsoft has not yet publicly acknowledged or patched the bug, making it a true zero-day in the classic sense. RedDrip notes that because the exploit operates at the application layer, any organisation running a supported version of Exchange—on-premises or in hybrid mode—could be vulnerable until a fix arrives.

Once the backdoor is in place, attackers pivot laterally, using the modified Chisel binary to set up a SOCKS tunnel over TCP 443 that points back to a remote C2 host. Traffic masquerades as normal HTTPS, helping it hide from perimeter monitoring tools. Through that tunnel, NightEagle can move deeper into the network, collect documents, dump credentials, or plant additional malware.

QiAnXin’s timeline shows that the group rapidly changes its infrastructure, sometimes recycling an IP address for only a few hours before abandoning it. Such agility complicates blacklisting efforts and hints at a well-resourced operation—possibly with state sponsorship. Although attribution remains tentative, RedDrip analysts note that the activity window lines up with daytime working hours in North America, fuelling speculation the operators are based there.

What Comes Next

QiAnXin has shared indicators of compromise and a technical breakdown of the exploit sequence with both industry partners and Microsoft. At time of writing, Microsoft has not commented publicly on the matter. In the meantime, the researchers urge administrators to monitor Exchange servers closely for unusual scheduled tasks, unexpected outbound connections on port 443, and any evidence of illicit DLLs injected into IIS worker processes.

While details of NightEagle’s command hierarchy and exact motivations remain murky, the campaign reinforces how valuable Chinese high-tech research has become on the global stage—and how far well-funded attackers are willing to go to obtain it. Until a patch is released, defenders will need to rely on layered monitoring, rigorous credential hygiene, and swift incident-response playbooks to stay ahead of this fast-moving adversary.