{ "id": "1cedbde9-7e11-4ed6-b800-e39d859427f3", "created_at": "2026-04-06T00:10:34.783499Z", "updated_at": "2026-04-10T13:12:43.071141Z", "deleted_at": null, "sha1_hash": "7635422f39a4f0df30a2ef6af1344c16a6b32b2a", "title": "NightEagle APT Attacking Industrial Systems by Exploiting 0-Days and With Adaptive Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 440254, "plain_text": "NightEagle APT Attacking Industrial Systems by Exploiting 0-\r\nDays and With Adaptive Malware\r\nBy Kaaviya\r\nPublished: 2025-07-07 · Archived: 2026-04-02 11:09:46 UTC\r\nA sophisticated APT group dubbed “NightEagle” (APT-Q-95) has been conducting targeted attacks against\r\nChina’s critical technology sectors since 2023. \r\nThe group has demonstrated exceptional capabilities in exploiting unknown Exchange vulnerabilities and\r\ndeploying adaptive malware to steal sensitive intelligence from high-tech companies, chip semiconductor\r\nmanufacturers, quantum technology firms, artificial intelligence developers, and military industry organizations.\r\nKey Takeaways\r\n1.NightEagle (APT-Q-95) uses unknown Exchange vulnerabilities to steal machineKey credentials and de\r\n2. Operates with substantial funding, using dedicated attack domains per target that resolve to local\r\n3. Targets China's high-tech sectors (AI, quantum, semiconductors, military) since 2023, stealing ema\r\n4. Fixed 9 PM-6 AM Beijing time schedule suggests Western 8th Time Zone origin with geopolitically-mo\r\nAdvanced 0-Day Exploitation Framework\r\nAccording to Qian Pangu, NightEagle operates with a complete arsenal of unknown Exchange vulnerability\r\nexploitation chain weapons, targeting high-tech companies, chip semiconductor manufacturers, quantum\r\nhttps://cybersecuritynews.com/nighteagle-apt-exploiting-0-days/\r\nPage 1 of 3\n\ntechnology firms, artificial intelligence developers, and military industry entities. \r\nThe group’s attack methodology centers on exploiting undisclosed zero-day vulnerabilities to obtain the\r\nmachineKey of Exchange servers, enabling deserialization operations that allow malware implantation across\r\nmatching Exchange versions.\r\nThe attack sequence begins with the deployment of a customized Chisel family malware compiled in the Go\r\nlanguage, executed through the command:\r\nThis establishes SOCKS connections via port 443 to the command and control infrastructure, utilizing hardcoded\r\nauthentication parameters for persistence.\r\nFileless Memory-Based Attack\r\nThe group’s most sophisticated weapon involves memory-based malware that operates entirely in RAM without\r\ndisk persistence, evading traditional antivirus detection. \r\nThe attack mechanism utilizes an ASP.NET precompiled DLL loader designated as App_Web_cn*.dll, which\r\ncreates virtual URL directories in formats like ~/auth/lang/cn*.aspx and ~/auth/lang/zh.aspx within Exchange\r\nserver IIS services.\r\nUpon receiving requests to these virtual directories, the memory malware searches for the\r\n“App_Web_Container_1” assembly, locating the malicious function class “App_Web_8c9b251fb5b3” and\r\nexecuting the primary “AppWebInit” function. \r\nThis sophisticated injection technique allows attackers to maintain persistent access while avoiding disk-based\r\nforensic detection.\r\nhttps://cybersecuritynews.com/nighteagle-apt-exploiting-0-days/\r\nPage 2 of 3\n\nAttack process of the NightEagle Group\r\nThe group demonstrates exceptional operational security through its use of dedicated attack domains for each\r\ntarget, including IoCs such as synologyupdates.com, comfyupdate.org, coremailtech.com, and fastapi-cdn.com. \r\nDomain registrations consistently utilize Tucows as the registrar, with DNS resolution pointing to infrastructure\r\nhosted by DigitalOcean, Akamai, and The Constant Company operators during active campaigns.\r\nNightEagle’s attack patterns reveal a highly organized threat actor operating on a consistent schedule from 9 PM\r\nto 6 AM Beijing time, indicating operations from the Western 8th Time Zone, likely North America. \r\nThe group’s targeting strategy adapts to geopolitical events and has increasingly focused on China’s AI large\r\nmodel industry, exploiting vulnerabilities in systems utilizing tools like ComfyUI for AI applications.\r\nAnalysis reveals that NightEagle has successfully exfiltrated sensitive email data from targeted organizations for\r\nnearly a year, demonstrating the group’s capability for sustained intelligence gathering operations. \r\nThe threat actor’s substantial financial resources enable the procurement of extensive network infrastructure,\r\nincluding numerous VPS servers and domain names for each campaign.\r\nInvestigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -\u003e Try\r\nANY.RUN now \r\nSource: https://cybersecuritynews.com/nighteagle-apt-exploiting-0-days/\r\nhttps://cybersecuritynews.com/nighteagle-apt-exploiting-0-days/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://cybersecuritynews.com/nighteagle-apt-exploiting-0-days/" ], "report_names": [ "nighteagle-apt-exploiting-0-days" ], "threat_actors": [ { "id": "31d93f1d-7d73-4f7a-996d-1c57540d31b1", "created_at": "2025-08-30T02:00:04.339323Z", "updated_at": "2026-04-10T02:00:03.887045Z", "deleted_at": null, "main_name": "NightEagle", "aliases": [ "APT-Q-95" ], "source_name": "MISPGALAXY:NightEagle", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434234, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7635422f39a4f0df30a2ef6af1344c16a6b32b2a.pdf", "text": "https://archive.orkl.eu/7635422f39a4f0df30a2ef6af1344c16a6b32b2a.txt", "img": "https://archive.orkl.eu/7635422f39a4f0df30a2ef6af1344c16a6b32b2a.jpg" } }