Chinese cybersecurity company QiAnXin claims to have uncovered a previously unknown cyber-espionage group allegedly operating from North America and targeting China’s high-tech industries. The group, dubbed NightEagle (also tracked as APT-Q-95 and APT-C-78), is described as well funded, highly stealthy and technically advanced.
According to a detailed technical report from QiAnXin’s PanGu and RedDrip teams, NightEagle has been active since at least 2023 and focuses on infiltrating China’s chipmakers, quantum tech firms, AI companies, and the military-industrial sector. The group is believed to use a suspected Microsoft Exchange zero-day exploit to gain covert access to target systems.
Once inside, NightEagle deploys a customized version of the open-source Chisel tunneling tool and leverages a rotating infrastructure of command-and-control (C2) servers. The servers remain inactive 99% of the time, the researchers said, with DNS records pointing to dead-end IPs such as 127.0.0.1 or 0.0.0.0, becoming live only during attacker activity windows.
The group operates on a strict schedule, launching attacks exclusively between 9:00 PM and 6:00 AM Beijing time. This and the targeted entities led researchers to believe the operators are likely based on the US West Coast, aligning with daytime working hours there.
The group also uses fileless in-memory implants to extract emails from Exchange servers and exfiltrate sensitive data from source code repositories and backup systems.