A new cyberattack campaign targeting China has been uncovered, and what makes it stand out is that the group behind it is believed to be based in North America. This group, named NightEagle or APT-Q-95, is a previously unknown advanced persistent threat (APT) actor. Researchers say it has been carrying out espionage operations against high-value Chinese targets.
The campaign was discovered by Chinese cybersecurity company QiAnXin Technology, which revealed that NightEagle used a zero-day vulnerability in Microsoft Exchange servers. A zero-day means it’s a flaw that had never been publicly disclosed before and didn’t have a patch available at the time it was exploited. The hackers used this flaw to gain deep access to email servers in several organizations.
These attacks were focused on some of China’s most critical industries. The victims included companies involved in semiconductors, artificial intelligence, quantum computing, and defense research. All of these are areas China considers highly strategic and sensitive. The fact that the attackers successfully breached organizations in these fields shows just how serious the campaign was.
To break into the Exchange servers, NightEagle manipulated a system component called the machineKey, which controls how Microsoft Exchange handles authentication. This allowed the hackers to perform what’s called a deserialization attack, injecting a custom .NET loader directly into the server’s web components (IIS). This loader opened a backdoor, giving them ongoing access to emails and other private data without detection.
Once inside, they used additional tools to move further into the network. One of them was a modified version of Chisel, an open-source tool that creates tunnels between computers. By using Chisel, the hackers were able to create hidden connections inside the organization’s network, making it easier to steal data and move around undetected.
QiAnXin noticed unusual internet traffic coming from some of the infected systems. They were reaching out to a domain that looked legitimate, synologyupdates.com, but it was actually fake. This clue helped researchers trace the attacks back to NightEagle. It also showed the group’s ability to disguise its activity behind seemingly normal traffic patterns.
Though the group hasn’t been officially identified, several signs suggest it operates from North America. They used virtual servers hosted in the United States and followed working hours that matched North American time zones. Their tactics and tools also resemble those used in Western intelligence operations, rather than criminal gangs or hobbyist hackers.
Microsoft is aware of the situation and has confirmed that it is investigating the alleged vulnerability. However, they have not officially verified that a new zero-day flaw exists. Because of that, they haven’t released any patches yet. Organizations using Microsoft Exchange are being urged to watch for any suspicious activity on their networks and review access logs carefully.
This case is notable because it’s rare to see Chinese systems being targeted by a North American APT. Most of the time, the headlines involve Chinese-backed groups attacking Western companies or governments. But this time, the tables have turned, and it highlights that cyber operations are truly global and can come from any direction.
The NightEagle operation is a reminder that in the digital world, even the most advanced systems can be vulnerable. As competition between global powers grows in areas like AI and quantum tech, cyber-espionage will only increase. Organizations need to stay alert, update systems regularly, and invest in stronger security to protect their most valuable data from threats that may not always be visible, or expected.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
