NightEagle APT Unleashes Custom Malware and Zero-Days to Infiltrate Industrial Systems

The advanced attack campaigns of a top Advanced Persistent Threat (APT) group known as “NightEagle,” internally coded as APT-Q-95, were revealed by top cybersecurity company Qian Pangu in a ground-breaking revelation at the 2025 Malaysia National Cyber Defense and Security Exhibition and Conference.

A Stealthy Predator in the Cyber Realm

Since 2023, Qian Pangu has meticulously tracked this group, which has demonstrated unparalleled agility in exploiting unknown vulnerabilities and deploying custom malware to target high-value industries in China

It includes high-tech, chip semiconductors, quantum technology, artificial intelligence, and military sectors.

NightEagle’s primary objective appears to be intelligence theft, executed with surgical precision before erasing all traces of infiltration.

NightEagle’s modus operandi is characterized by its rapid infrastructure switching, leveraging vast financial resources to acquire numerous VPS servers and domain names often using a unique domain per target with dynamic IP resolutions to evade detection.

Qian Pangu first detected suspicious activity through their Qianxin Tianyan NDR system, identifying an anomalous DNS request to “synologyupdates.com,” a domain masquerading as Synology’s NAS service but resolving to local IPs like 127.0.0.1 to obscure real server locations.

Exploiting Shadows with Advanced Tactics

Further analysis via Qianxin AISOC revealed a customized Go-language malware, “SynologyUpdate.exe,” from the Chisel family, facilitating internal network penetration via a hardcoded SOCKS connection over port 443.

This malware, triggered every four hours by scheduled tasks, paved the way for deeper breaches.

The group’s arsenal includes a unique memory-resident malware, a “memory horse,” injected into Exchange servers without disk footprints, rendering it invisible to traditional antivirus tools.

This payload, loaded via an ASP.NET DLL named “App_Web_cn*.dll,” creates virtual URL directories under paths like “/owa/auth/” to execute malicious functions.

NightEagle also wields an undisclosed Exchange zero-day exploit chain, enabling attackers to steal server keys, deserialize data, and remotely harvest emails from targeted individuals by iterating through various Exchange versions until a match is found.

Traffic analysis by Qianxin’s Tianyan NDR showed that critical email data had been siphoned for nearly a year from affected entities.

Behavioral patterns suggest NightEagle operates strictly between 9 p.m. and 6 a.m. Beijing time, likely originating from North America’s Western 8th Time Zone.

Their targets align with geopolitical shifts and China’s burgeoning AI industry, as seen with domains like “comfyupdate.org” linked to AI tools.

Qian Pangu’s threat intelligence has identified several malicious domains and specific attack signatures, urging global organizations to inspect Exchange servers for suspicious IIS components and URL requests.

Tools like Qianxin’s APT-Q-95 Exchange Memory Self-Check and Tianqing Terminal Management System are now available to detect and mitigate these threats, supported by multi-source data fusion across NDR, EDR, and AISOC platforms for automated response within minutes.

Indicators of Compromise (IOCs)

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free