NightEagle APT – Targeted Zero-Day Exploitation Campaign

PravinKarthik

12 months ago

Campaign Timeline & Overview

Active Since: 2023
Zero-Day Used: Vulnerability in Microsoft Exchange (details undisclosed)
Public Disclosure: July 2025
Initial Discovery: Identified during analysis of Exchange Server exploitation patterns involving custom payloads and lateral tunneling tools.

Target Profile

Sector Description Government Ministries and agencies responsible for strategic planning and cyber policy. Military Entities linked to national defense and aerospace research. Technology Companies engaged in semiconductors, quantum computing, and AI R&D.

Primary Region Targeted: China
While all confirmed attacks have been in China, the nature of the zero-day implies global risk potential, especially for organizations still running on-premise Exchange services.

Technical Attack Flow

Initial Access via Zero-Day in Microsoft Exchange
- Exploited an IIS deserialization flaw in Exchange using machineKey.
- Allows injection of a custom .NET loader to execute arbitrary code within Exchange’s application pool.
- Persistence established without using web shells or traditional malware artifacts—living off the land (LotL) approach.
Payload Deployment
- The injected .NET component loads encrypted configuration files.
- Performs command-and-control (C2) beaconing and establishes persistent backdoor access.
Tunneling via Modified Go-based Chisel Tool
- Uses a customized version of the open-source tool Chisel, written in Go.
- Enables reverse SOCKS tunneling over HTTP/HTTPS to bypass firewalls and exfiltrate data.
- Configured to run every 4 hours as a scheduled task, reducing noise in logs.
Lateral Movement & Internal Reconnaissance
- Scheduled execution indicates stealth and patience in enumeration and privilege escalation.
- Focused on accessing research documents, proprietary AI models, and sensitive government files.
Operational Timing
- Most C2 activity observed during 21:00–06:00 Beijing time.
- Suggests remote operators in different time zones—potentially North America-based infrastructure or redirection.

Custom Tooling & Artifacts

Defense Recommendations

1. Patch Management

Apply Microsoft security updates immediately, especially for Exchange Server.
Monitor for any emergency out-of-band patch releases.

2. Exchange Hardening

Restrict access to /owa and /ecp admin panels via network policies.
Disable legacy protocols (e.g., Basic Auth) and enforce MFA on admin accounts.

3. Behavioral Detection

Monitor for:
- Anomalous .NET processes tied to IIS.
- schtasks.exe with suspicious script execution patterns.
- Repeated outbound connections to unknown IPs using HTTPS tunnels.

4. Network Monitoring

Detect traffic patterns consistent with Chisel or reverse tunneling.
Look for persistent outbound connections during off-hours.

5. Threat Hunting

Search for encoded PowerShell in scheduled tasks or WMI.
Examine .config and temporary files on Exchange hosts for encrypted blobs.

Strategic Implications

NightEagle’s toolset avoids traditional malware signatures, posing a challenge for signature-based AV and EDR solutions.
With the zero-day public, threat actors globally may adopt similar tactics, leading to wider exploitation across sectors.
The campaign reinforces the critical need for layered defense, continuous monitoring, and proactive threat intelligence integration.

What to Watch Going Forward

Disclosure of CVE-ID for the zero-day—watch for patch notes from Microsoft.
Copycat attacks using the same exploit chain in different regions (especially targeting SMBs or under-resourced IT environments).
Evolution of the Chisel variant, especially if it gains modular C2 or evasion features.

Summary

NightEagle APT is a calculated, stealth-focused threat group leveraging an Exchange zero-day to penetrate highly sensitive networks. Their use of memory-only payloads, Go-based tunneling, and strategic scheduling mark them as a sophisticated, well-funded actor. Organizations globally—especially those with legacy on-premise infrastructure—should consider this a warning to harden systems, enable robust telemetry, and prepare for emerging Exchange-based exploitation.

Indicators of Compromise

🧷 File Hashes

SHA256: 0fc134fa7c90d1a67b2d41b20a67c3e4db20ef8e1176500b41ae8b54c62f6c77 — Modified Chisel tunneling tool
SHA256: e5d0a6c18a2389e315b6cf4e5fca1f8578cbf81e4ea3011983b216cf86d09c87 — .NET in-memory loader
SHA256: 20a3b4df5dfe84ae9481ea5cb7e06fbd94e2d7e1de962f3608ae05c0585fd45f — Encrypted config file

🌐 Network IOCs

Domain: update-center[.]cloud — C2 domain for reverse tunnel
Domain: edge-cache-sync[.]com — Payload staging domain
IP: 144.202.124.56 — Chisel C2 server
IP: 45.67.230.121 — Reverse proxy used by NightEagle
URL: https://update-center[.]cloud/bridge/ping — Beaconing endpoint
URL: https://edge-cache-sync[.]com/config.zip — Encrypted loader/config archive

🗂️ File & Registry Artifacts

File: C:\ProgramData\win_config.dat — Encrypted config dropped by loader
File: C:\Windows\Temp\svcchost.exe — Chisel binary
File: %ExchangeInstallPath%\FrontEnd\HttpProxy\owa\auth\error.aspx.cs — Modified for backdoor loader
Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SysCoreSvc — Persistence via registry
Scheduled Task: \Microsoft\Windows\Update\UpdateCoreTask — Runs Chisel every 4 hours

🧪 Script & Execution Patterns

PowerShell with base64-encoded commands:
powershell -enc <base64> — Obfuscated loader execution
Scheduled task creation:
schtasks /create /tn "\Microsoft\Windows\Update\UpdateCoreTask" /tr "powershell -ExecutionPolicy Bypass ..."
Suspicious Chisel command line:
chisel.exe client --reverse — Reverse tunneling setup
.NET configuration abuse:
Use of System.Configuration.Install.Installer — Reflective .NET execution