1. NightEagle APT Exploits Zero-Day in Microsoft Exchange to Target Chinese Defense and Tech Sectors
Overview
A new advanced persistent threat group, dubbed NightEagle (also called APT-Q-95), is being linked to a string of attacks. These attacks are targeting Microsoft Exchange Servers.
The group is said to have been active since 2023 and recently came under spotlight at CYDES 2025 which is Malaysia’s national cybersecurity conference.
Experts have revealed that NightEagle uses a previously undocumented zero day exploit chain and target high value sectors in China including military, AI, semiconductors, quantum technology, etc.
The group has been observed rotating its network infrastructure quite rapidly and operating primarily at night. These things suggest an emphasis by them on stealth and evasion.
Impact
NightEagle’s intrusion begins with a compromised version of Chisel which is a Go based open source tunneling tool. Its attackers customized its source code and hard coded its parameters to enable it to launch automatically every four hours on a scheduled basis. This modified version of Chisel established a socks proxy to communicate with a remote C2 server over port 443.
NightEagle malware would be delivered via a .NET loader that would embed into IIS on Exchange Servers. This would then exploit a zero day to extract machineKey for unauthorized deserialization. This was the result which enabled Trojan deployment and remote mailbox access. Also, all targeted servers ran compliant Exchange versions which allowed broad scalability. It is being suspected the attacker is North America-based.
Recommendation
Organizations that use Microsoft Exchange should:
- Apply all available Exchange Server patches immediately.
- See if there are any signs of .NET loaders and IIS service tampering.
- See if there are any unusual outbound connections over port 443.
- Harden Exchange servers.
2. Google Faces $314M Penalty Over Unauthorized Use of Android Users’ Mobile Data
Overview
A California jury just ordered Google to pay $314 million in damages for secretly consuming its users’ data without taking permission. Now this really is a landmark judgment where this class-action lawsuit, initially filed in August 2019, accused Google of using Android devices to quietly send data back to its servers even when phones lay idle.
The plaintiffs claimed Android’s design allowed it to send background info using mobile data, rather than just waiting for Wi-Fi. So, despite having technical ability to delay such transfer, Google chose not to and it resulted in hidden costs for users.
Impact
The court found that Android devices had sent hundreds of daily data packets to Google, and they were doing that even when phones were idle. A Samsung Galaxy S series phone sent 8.88 MB/day which had 94% of it going to Google. Data included logs, app lists, network states, etc, that could’ve easily waited for WiFi.
A 2018 test also showed Chrome on a dormant Android made 900 daily transfers, which was way more than Safari of iPhone. The jury ruled Google unfairly used users’ mobile data without notice. Now, Google plans to appeal as they claim that things like transfers support performance, security, etc are covered by user consent.
Recommendation
Users and administrators should:
- Monitor mobile data usage closely;
- Review app permissions, background data settings;
- Consider limiting background processes.
3. Widespread Android Threat Campaigns: Ad Fraud, NFC Exploits, and SMS Stealers on the Rise
Overview
A complex web of mobile security threats that target Android devices has recently been exposed, as they have been targeting a diversity of stuff, from large scale ad fraud rings to sophisticated financial malware, as these campaigns are exploiting users at a large scale, especially in high-android adoption regions.
Researchers from different labs like HUMAN, ESET, IAS Threat Lab, Kaspersky, etc have uncovered multiple active threat operations including IconAds, Kaleidoscope ad fraud schemes, an SMS stealer named Qwizzserial, a set of advanced malware tools that abuse NFC functionality for financial crimes, etc.
These threats are evolving fast. They evade app store protections and capitalize on user trust in official looking apps and platforms like Telegram, WhatsApp, etc.
Impact
Android Threat Roundup…
IconAds: 352 hidden apps blasted full screen ads. And they peak at 1.2B daily bids. The threat has been removed, but tactics do persist.
Kaleidoscope Fraud: Clean apps on Play Store. Ad-filled clones elsewhere, linked to Saturn Dynamic.
NFC Malware: NGate & Ghost Tap exploit NFC for card fraud via Google/Apple Pay.
Qwizzserial: SMS stealer spread via Telegram, hit 100K devices, stole $62K in Uzbekistan, etc.
New Spyware: Fake invites, TikTok clones, SparkKitty, etc. steal wallet phrases from screenshots.
Recommendation
For Enterprises and Security Teams:
- Immediately audit Android device usage in your organization, especially BYOD ones.
- Block sideloading of apps; restrict access to third party app stores.
- Use MDM/endpoint protection to detect behavior like hidden apps, background ad services, persistent activity-alias techniques, etc.
- Monitor for app impersonation. Especially clones of your corporate, public apps, etc.
4. Rogue Firefox Extensions Discovered Targeting Crypto Wallets
Overview
Security pros have identified a widespread malicious campaign involving 40+ Firefox browser extensions. These extensions were created to steal cryptocurrency wallet credentials directly from user’s browsers.
Most of the rogue extensions impersonate trusted crypto wallets, including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, Filfox, etc.
The campaign is active since April 2025. Some of these malicious add ons were still being added to the official Firefox Add ons.
Impact
Fake crypto wallet extensions mimicked trusted brands. Cloned open source tools and injected code to steal seed phrases and IPs. Attackers used fake reviews to boost trust which made detection difficult. A Russian speaking group is suspected. Mozilla removed most, except one tied to MyMonero.
Recommendation
- Remove unverified crypto wallet extensions in Firefox.
- Don’t rely on ratings. Verify publishers, user counts, etc.
- Watch for odd behavior after installation.
- Use browser hardening. Manage extensions centrally.
- If affected, rotate wallet keys.
Windows Management Experts
Now A Microsoft Solutions Partner for:
✓ Data & AI
✓ Digital and App Innovation
✓ Infrastructure
✓ Security
The Solutions Partner badge highlights WME’s excellence and commitment. Microsoft’s thorough evaluation ensures we’re skilled, deliver successful projects, and prioritize security over everything. This positions WME in a global tech community, ready to innovate on the cloud for your evolving business needs.
Why not reach out to us at WME?
Contact us and let us transform your business’s security into a strategic advantage for your business. Be sure, with WME, you’re just beginning a path toward a more streamlined and secure future.
Contact us: Sales@winmgmtexperts.com
