The group has demonstrated exceptional capabilities in exploiting unknown Exchange vulnerabilities and deploying adaptive malware to steal sensitive intelligence from high-tech companies, chip semiconductor manufacturers, quantum technology firms, artificial intelligence developers, and military industry organizations. The group’s attack methodology centers on exploiting undisclosed zero-day vulnerabilities to obtain the machineKey of Exchange servers, enabling deserialization operations that allow malware implantation across matching Exchange versions. NightEagle (APT-Q-95) uses unknown Exchange vulnerabilities to steal machineKey credentials and deploy memory-resident malware that evades detection. The group’s targeting strategy adapts to geopolitical events and has increasingly focused on China’s AI large model industry, exploiting vulnerabilities in systems utilizing tools like ComfyUI for AI applications. The attack mechanism utilizes an ASP.NET precompiled DLL loader designated as App_Web_cn*.dll, which creates virtual URL directories in formats like ~/auth/lang/cn*.aspx and ~/auth/lang/zh.aspx within Exchange server IIS services.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 07 Jul 2025 08:35:12 +0000