NightEagle APT – Targeted Zero-Day Exploitation Campaign

NightEagle APT – Targeted Zero-Day Exploitation Campaign

1

NightEagle (APT-Q-95) is a newly identified advanced persistent threat (APT) actor observed actively exploiting a zero-day vulnerability in Microsoft Exchange Server during 2023–2024. The group is notable for its stealthy, well-coordinated, and high-value targeting campaigns, particularly focusing on sensitive Chinese sectors such as defense, government, and emerging technologies.

Campaign Timeline & Overview

  • Active Since: 2023
  • Zero-Day Used: Vulnerability in Microsoft Exchange (details undisclosed)
  • Public Disclosure: July 2025
  • Initial Discovery: Identified during analysis of Exchange Server exploitation patterns involving custom payloads and lateral tunneling tools.

Target Profile

Sector Description Government Ministries and agencies responsible for strategic planning and cyber policy. Military Entities linked to national defense and aerospace research. Technology Companies engaged in semiconductors, quantum computing, and AI R&D.

Primary Region Targeted: China
While all confirmed attacks have been in China, the nature of the zero-day implies global risk potential, especially for organizations still running on-premise Exchange services.

Technical Attack Flow

  1. Initial Access via Zero-Day in Microsoft Exchange
    • Exploited an IIS deserialization flaw in Exchange using machineKey.
    • Allows injection of a custom .NET loader to execute arbitrary code within Exchange’s application pool.
    • Persistence established without using web shells or traditional malware artifacts—living off the land (LotL) approach.
  2. Payload Deployment
    • The injected .NET component loads encrypted configuration files.
    • Performs command-and-control (C2) beaconing and establishes persistent backdoor access.
  3. Tunneling via Modified Go-based Chisel Tool
    • Uses a customized version of the open-source tool Chisel, written in Go.
    • Enables reverse SOCKS tunneling over HTTP/HTTPS to bypass firewalls and exfiltrate data.
    • Configured to run every 4 hours as a scheduled task, reducing noise in logs.
  4. Lateral Movement & Internal Reconnaissance
    • Scheduled execution indicates stealth and patience in enumeration and privilege escalation.
    • Focused on accessing research documents, proprietary AI models, and sensitive government files.
  5. Operational Timing
    • Most C2 activity observed during 21:00–06:00 Beijing time.
    • Suggests remote operators in different time zones—potentially North America-based infrastructure or redirection.

Custom Tooling & Artifacts

Defense Recommendations

1. Patch Management

  • Apply Microsoft security updates immediately, especially for Exchange Server.
  • Monitor for any emergency out-of-band patch releases.

2. Exchange Hardening

  • Restrict access to /owa and /ecp admin panels via network policies.
  • Disable legacy protocols (e.g., Basic Auth) and enforce MFA on admin accounts.

3. Behavioral Detection

  • Monitor for:
    • Anomalous .NET processes tied to IIS.
    • schtasks.exe with suspicious script execution patterns.
    • Repeated outbound connections to unknown IPs using HTTPS tunnels.

4. Network Monitoring

  • Detect traffic patterns consistent with Chisel or reverse tunneling.
  • Look for persistent outbound connections during off-hours.

5. Threat Hunting

  • Search for encoded PowerShell in scheduled tasks or WMI.
  • Examine .config and temporary files on Exchange hosts for encrypted blobs.

Strategic Implications

  • NightEagle’s toolset avoids traditional malware signatures, posing a challenge for signature-based AV and EDR solutions.
  • With the zero-day public, threat actors globally may adopt similar tactics, leading to wider exploitation across sectors.
  • The campaign reinforces the critical need for layered defense, continuous monitoring, and proactive threat intelligence integration.

What to Watch Going Forward

  • Disclosure of CVE-ID for the zero-day—watch for patch notes from Microsoft.
  • Copycat attacks using the same exploit chain in different regions (especially targeting SMBs or under-resourced IT environments).
  • Evolution of the Chisel variant, especially if it gains modular C2 or evasion features.

Summary

NightEagle APT is a calculated, stealth-focused threat group leveraging an Exchange zero-day to penetrate highly sensitive networks. Their use of memory-only payloads, Go-based tunneling, and strategic scheduling mark them as a sophisticated, well-funded actor. Organizations globally—especially those with legacy on-premise infrastructure—should consider this a warning to harden systems, enable robust telemetry, and prepare for emerging Exchange-based exploitation.

Indicators of Compromise

🧷 File Hashes

  • SHA256: 0fc134fa7c90d1a67b2d41b20a67c3e4db20ef8e1176500b41ae8b54c62f6c77 — Modified Chisel tunneling tool
  • SHA256: e5d0a6c18a2389e315b6cf4e5fca1f8578cbf81e4ea3011983b216cf86d09c87 — .NET in-memory loader
  • SHA256: 20a3b4df5dfe84ae9481ea5cb7e06fbd94e2d7e1de962f3608ae05c0585fd45f — Encrypted config file

🌐 Network IOCs

  • Domain: update-center[.]cloud — C2 domain for reverse tunnel
  • Domain: edge-cache-sync[.]com — Payload staging domain
  • IP: 144.202.124.56 — Chisel C2 server
  • IP: 45.67.230.121 — Reverse proxy used by NightEagle
  • URL: https://update-center[.]cloud/bridge/ping — Beaconing endpoint
  • URL: https://edge-cache-sync[.]com/config.zip — Encrypted loader/config archive

🗂️ File & Registry Artifacts

  • File: C:\ProgramData\win_config.dat — Encrypted config dropped by loader
  • File: C:\Windows\Temp\svcchost.exe — Chisel binary
  • File: %ExchangeInstallPath%\FrontEnd\HttpProxy\owa\auth\error.aspx.cs — Modified for backdoor loader
  • Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SysCoreSvc — Persistence via registry
  • Scheduled Task: \Microsoft\Windows\Update\UpdateCoreTask — Runs Chisel every 4 hours

🧪 Script & Execution Patterns

  • PowerShell with base64-encoded commands:
    powershell -enc <base64> — Obfuscated loader execution
  • Scheduled task creation:
    schtasks /create /tn "\Microsoft\Windows\Update\UpdateCoreTask" /tr "powershell -ExecutionPolicy Bypass ..."
  • Suspicious Chisel command line:
    chisel.exe client --reverse — Reverse tunneling setup
  • .NET configuration abuse:
    Use of System.Configuration.Install.Installer — Reflective .NET execution
Tags:

1 Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.