NightEagle APT Unleashed: Zero-Day Exchange Exploit Targets China’s Strategic Industries with Fileless Malware

Since 2023, the RedDrip Team has been meticulously monitoring the activities of one of the most elusive cyber espionage groups. This threat actor, armed with an unknown Exchange exploitation chain, distinguishes itself through substantial financial resources, enabling the acquisition of vast volumes of digital infrastructure—ranging from VPS servers to domain names. Each new target is assigned a unique domain, and its corresponding IP addresses rotate at high frequency. Due to this ability to rapidly shift infrastructure and its predominantly nocturnal operations, the group has been dubbed NightEagle and designated internally as APT-Q-95.

For an extended period, NightEagle has been targeting China’s leading enterprises and institutions in sectors such as high technology, semiconductor and chip manufacturing, quantum computing, artificial intelligence, large language models, and the defense industry. The primary objective is data exfiltration. Following successful breaches, the attackers swiftly retreat from compromised network segments, leaving minimal traces.

The first red flag emerged when analysts detected an anomalous DNS query to the domain synologyupdates[.]com, crafted to mimic the services of Synology, a popular NAS manufacturer. Upon investigation, it became evident that the domain was not legitimately affiliated. DNS servers resolved it to internal addresses like 127.0.0.1 or 192.168.1.1, effectively obfuscating the adversary’s true command server.

Subsequent analysis uncovered recurrent requests to the domain from within a client’s internal network, occurring every four hours. On one internal host, a process named SynologyUpdate.exe was found. It was identified as a customized, malicious variant of the Chisel backdoor—compiled in Go and designed for covert network infiltration. The malware was executed on a schedule via system tasks.

This malicious implant established a SOCKS connection with its command server using TLS, enabling attackers to penetrate the internal network while evading traditional security measures. Log data confirmed that the infected host communicated with an internal Exchange mail server.

During the investigation, researchers uncovered a unique NightEagle toolkit—malware that resides exclusively in memory. This in-memory design allows it to remain undetected by most antivirus engines and security solutions. The payload leaves no disk artifacts and is purged from memory after execution. However, analysts managed to extract a loader component: an ASP.NET DLL injected into the IIS service on the Exchange server.

Once executed, the loader creates virtual directories disguised as language identifiers, such as ~/auth/lang/cn.aspx or ~/auth/lang/zh.aspx. Accessing such a path triggers the in-memory payload, which scans and invokes embedded functions within Exchange’s internal components.

Particularly concerning was the discovery of a novel exploitation chain targeting Exchange. Network traffic analysis revealed that the attackers used a previously unknown zero-day to extract the machine key of the Exchange server. This enabled remote deserialization, allowing arbitrary payload installation on compatible Exchange versions and granting full email access. The adversaries systematically probed for commonly used Exchange versions, indicating a high level of sophistication and access to extensive resources.

It was found that NightEagle’s operations have persisted for nearly a year, with consistent theft of email communications. These campaigns are meticulously obfuscated and highly evasive. By studying the temporal patterns of activity, researchers determined that attacks consistently occur between 9:00 PM and 6:00 AM Beijing time—pointing to an origin in the eighth time zone of the western hemisphere, most likely North America.

NightEagle employs a vast domain infrastructure, with each domain uniquely tied to a specific target. The group has also expanded its focus to systems linked to generative AI models. All domains are registered via Tucows, and the resolving IPs during active malware sessions point either to local network addresses or to U.S.-based providers such as DigitalOcean, Akamai, and The Constant Company. The frequency of domain queries ranges from every 2 to 8 hours.

To detect traces of compromise, organizations are advised to scrutinize Exchange system directories for anomalous files with suspicious names and extensions, and to audit email service logs for unusual requests and spoofed User-Agent strings.