Adaptive Malware and Zero-Day Exploits – How NightEagle APT Targets Industrial Systems

At the 2025 Malaysia National Cyber Defense and Security Exhibition, cybersecurity research organization Qian Pangu unveiled the results of a year-long investigation into a shadowy advanced persistent threat (APT) group dubbed “NightEagle” (internal code: APT-Q-95).

The group is linked to highly sophisticated cyber espionage campaigns targeting China’s critical industries, including semiconductors, military technology, quantum computing, and AI systems.

Highly Adaptive Infrastructure and Stealthy Tactics

NightEagle’s operational agility is striking. The group exploits an undisclosed Microsoft Exchange vulnerability, forming an exploitation chain that remains unpatched in many environments.

Equipped with significant financial resources, NightEagle frequently purchases large quantities of VPS servers and domain names.

Each cyberattack employs a unique domain and rapidly shifting IP resources, effectively masking the source of each intrusion and thwarting traditional detection methods.

Investigations first flagged suspicious activity via Qianxin’s Tianyan NDR system, observing abnormal DNS requests to domains that mimicked legitimate services, such as “synologyupdates.com.”

This domain was resolved to local IP addresses (e.g., 127.0.0.1), masking the attacker’s actual infrastructure.

Repeated DNS resolutions triggered by a scheduled malware process named SynologyUpdate.exe acted as a beacon for command and control communications every four hours.

Zero-Day Weaponization and Memory-Resident Malware

For persistence and lateral movement, NightEagle deployed a modified version of the open-source Chisel tool, hardcoded for covert authentication and encrypted SOCKS tunneling back to the attacker’s C2 infrastructure.

Most concerning is the group’s use of fileless, memory-resident malware, specifically NET-based malicious assemblies loaded into Microsoft Exchange IIS processes.

These “memory horses” escape detection by antivirus solutions, as they never touch the disk and are quickly erased after operations conclude.

The loader, typically named “App_Web_cn*.dll,” creates virtual URL directories (e.g., ~/auth/lang/cn*.aspx), which are remotely triggered to execute espionage payloads and exfiltrate sensitive mailbox data.

Qianxin’s analysis revealed that NightEagle had leveraged an unknown Exchange 0-day to extract mailbox data unnoticed for nearly a year, custom-crafting exploitation attempts by brute-forcing Exchange version numbers until a match was found and exploiting machineKey deserialization vulnerabilities.

Patterns, Protective Measures, and Industry Response

NightEagle’s campaigns align with geopolitical flashpoints and evolving Chinese industry priorities, with attacker activity predominantly occurring during North American nighttime hours (9 p.m.–6 a.m. Beijing time).

Domain infrastructure analysis identified over two dozen C2 domains registered via Tucows and associated with U.S. hosting providers.

Qianxin has released specialized detection and remediation tools, including a memory self-check utility, and strongly encourages organizations to analyze telemetry for abnormal IIS assemblies and domain callouts.

The group’s rapid infrastructure rotation and use of zero-day exploits raise the bar for defenders, highlighting the need for integrated, intelligence-driven security platforms.