North American APT Uses Exchange Zero-Day to Attack China - Dark Reading

CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE APPLICATION SECURITY ENDPOINT SECURITY NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific North American APT Uses Exchange Zero-Day to Attack China Stories about Chinese APTs attacking the US and Canada are plentiful. In a turnabout, researchers found what they believe is a North American entity attacking a Chinese entity, thanks to a mysterious issue in Microsoft Exchange. Nate Nelson,Contributing Writer July 9, 2025 3 Min Read SOURCE: PIXEL-SHOT VIA ALAMY STOCK PHOTO A Western advanced persistent threat (APT) has been exploiting an unknown zero-day in Microsoft Exchange to steal high-value intelligence from China's military and major technology industries. At last week's National Cyber Defence and Security Exhibition and Conference (CYDES) in Malaysia, researchers from Qianxin Technology's RedDrip Team detailed a longstanding espionage attack by a previously unknown threat actor they've named "NightEagle Group," or APT-Q-95. The threat actor, they report, has a history of breaching Microsoft accounts to spy on Chinese organizations of interest to the US: chip manufacturers, companies specializing in artificial intelligence (AI) and quantum technologies, defense contractors, and more. In this case, over the course of a year, NightEagle appears to have exploited a mysterious bug in Microsoft Echange, to siphon off "all key target emails" from an undisclosed organization, according to RedDrip's description. Related:Chinese Police Use ChatGPT to Smear Japan PM Takaichi Exploiting MS Exchange to Steal Chinese Intel The campaign was unraveled when Qianxin's network detection and response program identified an abnormal domain name server (DNS) request to the domain "synologyupdates.com." Synology is a Taiwanese manufacturer of network attached storage (NAS) appliances, but it does not count "synologyupdates" among its registered domains. The old software update ruse concealed NightEagle's malware: a custom variant of the legitimate open source (OSS) tool "Chisel." Chisel is a program for creating encrypted tunnels between two computers, even through firewalls, making it useful for network penetration. NightEagle ran its Golang-based Chisel offshoot as a scheduled task in its target's system, creating a secure tunnel to its command-and-control (C2) infrastructure. Through means unknown, the attacker used this tunnel to interact with and ultimately steal the "machineKey" from its target's Exchange email server. Stored in the server's configuration file, the machineKey is used to encrypt and validate highly sensitive data like authentication cookies and session tokens. NightEagle used this holy piece of the puzzle to get the server to run its malicious code. At that point, it could remotely read email data from anyone in the organization. Asked about a potential Exchange vulnerability, a spokesperson for Microsoft told Dark Reading that "[we] reviewed this report and have not identified any new actionable vulnerabilities to date," but added that "our investigation is ongoing." US Offensive Cyber Operations Related:Singapore & Its 4 Major Telcos Fend Off Chinese Hackers America's free media landscape, its thriving cybersecurity industry — which naturally serves more Western customers, affecting its visibility elsewhere — plus time zone conveniences, restrictive Chinese Communist Party (CCP) policies, and innumerable other factors all combine to fill the Internet with stories of Chinese threat actors targeting the West, and few telling the opposite narrative. This doesn't necessarily reflect the true balance between cyberattacks coming from each side of the world. RedDrip's researchers, with visibility into Chinese networks, found that their threat actor of interest consistently worked hours according with a typical 9 a.m. to 6 p.m. workday in the US's Pacific time zone. They therefore located the threat actor to North America's West Coast, but stopped short of identifying it as either American or Canadian. It shouldn't be a shock, says Bambenek Consulting president John Bambenek, because "we have agencies whose stated missions are exactly this. Generally, the US intelligence community focuses on traditional espionage in support of national security objectives. The NSA and US Cyber Command are the larger players in these types of activities, but offensive cyber capability is present in every member agency of the US intelligence community." Related:Senegalese Data Breaches Expose Lack of Security Maturity That the US performs offensive cyber operations, and that it would target China's semiconductor, AI, and defense industries is predictable enough. More controversial is the overlap between its threat actors and its technology sector. Though the US government does not enjoy China's legal carte blanche to plant backdoors in technology developed within its borders, it has in the past tried influencing domestic companies to play ball, with varying degrees of success. Reflecting on the position of Microsoft in this story, Bambenek assesses, "It's unlikely that Silicon Valley would undermine its own products, or intentionally overlook a vulnerability, in support of the US for the simple reason that every use of a zero-day increases the possibility that it is discovered, reverse engineered, and then used by other entities." Read more about: DR Global Asia Pacific About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Cyberattackers Target LastPass, Top Password Managers by Nate Nelson, Contributing Writer OCT 16, 2025 CYBERATTACKS & DATA BREACHES Zscaler, Palo Alto Networks Breached via Salesloft Drift by Alexander Culafi SEP 02, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBERATTACKS & DATA BREACHES Critical Fortinet Vuln Draws Fresh Attention by Jai Vijayan, Contributing Writer MAR 19, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE