{ "id": "6358cf7d-1360-4b32-9678-1b2e829beb0d", "created_at": "2026-04-06T00:10:23.579286Z", "updated_at": "2026-04-10T13:11:49.180804Z", "deleted_at": null, "sha1_hash": "21a2263bdae97fd13a0343a95a636c38396ccf02", "title": "NightEagle APT Exploits Microsoft Exchange Flaw to Target China's Military and Tech Sectors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 306007, "plain_text": "NightEagle APT Exploits Microsoft Exchange Flaw to Target\r\nChina's Military and Tech Sectors\r\nBy The Hacker News\r\nPublished: 2025-07-04 · Archived: 2026-04-05 17:51:21 UTC\r\nCybersecurity researchers have shed light on a previously undocumented threat actor called NightEagle (aka\r\nAPT-Q-95) that has been observed targeting Microsoft Exchange servers as a part of a zero-day exploit chain\r\ndesigned to target government, defense, and technology sectors in China.\r\nAccording to QiAnXin's RedDrip Team, the threat actor has been active since 2023 and has switched network\r\ninfrastructure at an extremely fast rate. The findings were presented at CYDES 2025, the third edition of\r\nMalaysia's National Cyber Defence \u0026 Security Exhibition and Conference held between July 1 and 3, 2025.\r\n\"It seems to have the speed of an eagle and has been operating at night in China,\" the cybersecurity vendor said,\r\nexplaining the rationale behind naming the adversary NightEagle.\r\nAttacks mounted by the threat actor have singled out entities operating in the high-tech, chip semiconductors,\r\nquantum technology, artificial intelligence, and military verticals with the main goal of gathering intelligence,\r\nQiAnXin added.\r\nhttps://thehackernews.com/2025/07/nighteagle-apt-exploits-microsoft.html\r\nPage 1 of 3\n\nThe company also noted that it began an investigation after it discovered on one of its customer's endpoints a\r\nbespoke version of the Go-based Chisel utility, which was configured to automatically start every four hours as\r\npart of a scheduled task.\r\n\"The attacker modified the source code of the open-source Chisel intranet penetration tool, hard-coded the\r\nexecution parameters, used the specified username and password, established a socks connection with the 443 end\r\nof the specified C\u0026C address, and mapped it to the specified port of the C\u0026C host to achieve the intranet\r\npenetration function,\" it said in a report.\r\nIt's said that the trojan is delivered by means of a .NET loader, which, in turn, is implanted into the Internet\r\nInformation Server (IIS) service of the Microsoft Exchange Server. Further analysis has determined the presence\r\nof a zero-day that enabled the attackers to obtain the machineKey and gain unauthorized access to the Exchange\r\nServer.\r\n\"The attacker used the key to deserialize the Exchange server, thereby implanting a trojan into any server that\r\ncomplies with the Exchange version, and remotely reading the mailbox data of any person,\" the report said.\r\nQiAnXin claimed that the activity was likely the work of a threat actor from North America given that the attacks\r\ntook place between 9 p.m. and 6 a.m. Beijing time. It also said the threat actor exhibits all the traits of an advanced\r\npersistent threat (APT) group, describing it as \"fast, accurate, and ruthless.\"\r\nWhen reached for comment, Microsoft told The Hacker News it's continuing its investigation but noted that it has\r\nnot found any vulnerabilities at this stage.\r\nhttps://thehackernews.com/2025/07/nighteagle-apt-exploits-microsoft.html\r\nPage 2 of 3\n\n\"We have reviewed this report and have not identified any new actionable vulnerabilities to date,\" a Microsoft\r\nspokesperson said. \"Our investigation is ongoing, and we will take action as appropriate based on our findings. We\r\nremain committed to addressing reported issues promptly, while maintaining the highest standards of safety and\r\ntrust, to help keep our customers protected.\"\r\n(The story was updated after publication on July 10, 2025, to include a response from Microsoft.)\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2025/07/nighteagle-apt-exploits-microsoft.html\r\nhttps://thehackernews.com/2025/07/nighteagle-apt-exploits-microsoft.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://thehackernews.com/2025/07/nighteagle-apt-exploits-microsoft.html" ], "report_names": [ "nighteagle-apt-exploits-microsoft.html" ], "threat_actors": [ { "id": "31d93f1d-7d73-4f7a-996d-1c57540d31b1", "created_at": "2025-08-30T02:00:04.339323Z", "updated_at": "2026-04-10T02:00:03.887045Z", "deleted_at": null, "main_name": "NightEagle", "aliases": [ "APT-Q-95" ], "source_name": "MISPGALAXY:NightEagle", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434223, "ts_updated_at": 1775826709, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/21a2263bdae97fd13a0343a95a636c38396ccf02.pdf", "text": "https://archive.orkl.eu/21a2263bdae97fd13a0343a95a636c38396ccf02.txt", "img": "https://archive.orkl.eu/21a2263bdae97fd13a0343a95a636c38396ccf02.jpg" } }