Cyber-espionage campaign traced to North America leverages stealthy Exchange vulnerability to infiltrate Chinese high-tech and defense industries.
Covert APT Group “NightEagle” Tied to Strategic Cyber-Espionage Across China’s Critical Sectors
A previously unidentified Advanced Persistent Threat (APT) actor dubbed NightEagle has been linked to a long-running espionage campaign targeting sensitive Chinese sectors, including artificial intelligence, semiconductors, military defense, and quantum research. The group, reportedly operating from North America, exploited a zero-day vulnerability in Microsoft Exchange Server to gain persistent access to critical systems within high-value Chinese organizations.
Researchers at QiAnXin Technology’s RedDrip threat intelligence unit uncovered the intrusion, tracing the activity back to 2023. They noted that NightEagle appeared to have considerable financial and technical resources, allowing it to purchase vast numbers of virtual private servers (VPS), domain names, and infrastructure for sustained attack campaigns.
“This group has long targeted top companies and institutions in China’s high-tech, chip semiconductor, quantum technology, artificial intelligence, and large language models, military industry, and other fields,” RedDrip stated in its report.
The group was named NightEagle due to its speed of operation and a consistent attack pattern that aligns with nighttime hours in China, supporting suspicions of a Western time zone origin.
Zero-Day Exploit in Microsoft Exchange Used for IIS Hijacking and Mailbox Exfiltration
At the core of the operation is a sophisticated Exchange zero-day exploit chain that enables NightEagle to harvest sensitive email content from compromised servers. The attackers leveraged a previously undocumented method to extract the Exchange server’s machineKey—a critical component in the Microsoft .NET and ASP.NET frameworks that handles authentication tokens and encryption.
By stealing the machineKey, NightEagle was able to send specially crafted payloads to the Exchange server, triggering unauthorized deserialization and remote code execution (RCE). This enabled them to implant a custom .NET loader directly into Microsoft’s Internet Information Services (IIS), giving them deep-level access to hosted mailboxes.
RedDrip notes that while the complete exploit chain remains undisclosed, their analysis confirms that NightEagle possesses exclusive tools and techniques for compromising Exchange environments.
“We found that it possesses a complete set of unknown Exchange vulnerability exploitation chain weapons,” said RedDrip researchers. “However, we have only obtained the process in which attackers obtain the key through unknown means and then steal Exchange data.”
When asked to comment, a Microsoft spokesperson said the company had reviewed the report and had not yet identified any actionable new vulnerabilities, but would continue its investigation.
Use of Modified Chisel Malware Ensured Long-Term Persistence and Stealth
Once inside, the attackers deployed a customized version of Chisel, an open-source tunneling tool written in Go. This version of Chisel was configured to establish communication every four hours, providing stealthy and persistent access to compromised environments. The malware was scheduled via built-in task automation, allowing it to silently reconnect to command-and-control (C2) infrastructure on demand.
What’s more, NightEagle’s operational hours were methodical. Attack timestamps recovered from endpoint detection and response (EDR) tools showed consistent activity between 9 PM and 6 AM Beijing time, reinforcing the suspicion that the operators were based in North America.
RedDrip also linked NightEagle’s targeting priorities to geopolitical shifts. For example, as China’s AI sector expanded, the attackers increased focus on companies specializing in large language models (LLMs) and AI innovation. The threat group’s agility and ability to shift targets according to global developments mark it as a well-funded, highly strategic espionage actor.
The Growing Risk to Unpatched Exchange Servers and Sensitive Sectors
This discovery highlights an urgent risk for both public and private organizations relying on legacy or unpatched Exchange infrastructure. Threat actors with sophisticated toolkits, like NightEagle, continue to bypass detection and maintain access for months—even years—after their initial entry.
As organizations in sensitive industries like defense, artificial intelligence, and critical infrastructure remain high-value targets for state-linked attackers, the focus must shift from reactive defense to proactive resilience.
Ensuring swift recovery and containment in the event of a breach is now essential—particularly when attackers implant stealthy persistence mechanisms that can evade traditional detection.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
