NightEagle

NightEagle is a newly identified advanced persistent threat actor, also tracked as APT-Q-95 and APT-C-78, that has conducted cyber-espionage operations against China’s high-tech and critical technology sectors since 2023. Reported targets include AI companies, quantum technology firms, semiconductor and chip manufacturers, government, defense, military industry organizations, and the broader Chinese military industrial complex. The activity has been described as highly stealthy and sophisticated. The group has been observed exploiting a suspected zero-day exploit chain in Microsoft Exchange Server during 2023–2024. Reported post-exploitation activity includes stealing mailbox and email data from compromised Exchange accounts, stealing machineKey credentials, interacting with on-premises Exchange servers, and deploying fileless, memory-resident implants that operate in RAM and evade traditional antivirus and disk-based forensic detection. Reported tooling includes an ASP.NET precompiled DLL loader, creation of virtual URL directories within IIS services, and use of a customized Go-based Chisel tunneling utility for SOCKS connections over port 443 with hardcoded authentication parameters. NightEagle reportedly uses dedicated infrastructure per victim, including attack domains such as synologyupdates.com, comfyupdate.org, coremailtech.com, and fastapi-cdn.com, with domains registered via Tucows and infrastructure observed at DigitalOcean, Akamai, and The Constant Company. Its command-and-control domains were reported to be inactive most of the time, often resolving to dead-end or local IP addresses such as 127.0.0.1, and only activated briefly during operator activity. The group has also been reported to target source code repositories and backup storage systems. Operationally, NightEagle has been reported to work on a fixed schedule of 9:00 PM to 6:00 AM Beijing time. Researchers cited in the content assessed that this pattern suggests a North American, specifically western time zone, origin, but the content also states that no formal country attribution has been made. Accordingly, NightEagle should be described as a suspected cyber-espionage actor with possible North American operational alignment, not a confirmed nation-state attribution.