A sophisticated cyberespionage campaign, known as PassiveNeuron, has re-emerged, targeting government, financial, and industrial organizations across Asia, Africa, and Latin America. Initially detected in 2024, the campaign resurfaced in December 2024, with the most recent infections observed as of August 2025.
PassiveNeuron employs previously unknown advanced persistent threat (APT) implants named Neursite and NeuralExecutor, alongside the Cobalt Strike framework, to compromise Windows Server machines. The attackers primarily exploit Microsoft SQL servers to gain initial remote command execution on target systems. By leveraging SQL vulnerabilities, injection flaws, or compromised database credentials, they attempt to deploy ASPX web shells for sustained access.
However, deploying these web shells has proven challenging due to security solutions frequently blocking their attempts. In response, attackers have adapted by using Base64 and hexadecimal encoding, switching between PowerShell and VBS scripts, and writing payloads line-by-line to evade detection.
Researchers have identified that the campaign employs a sophisticated multi-stage infection chain, with malicious implants loaded through DLL loaders. The first-stage loaders are strategically placed in the System32 directory with names like wlbsctrl.dll, TSMSISrv.dll, and oci.dll, exploiting the Phantom DLL Hijacking technique to achieve automatic persistence upon startup.
These DLLs are artificially inflated to exceed 100 MB by adding junk overlay bytes, making them difficult for security solutions to detect. The loaders incorporate advanced anti-analysis mechanisms, including MAC address validation to ensure execution only on intended victim machines.
The first-stage loader iterates through installed network adapters, calculating a 32-bit hash of each MAC address and comparing it against hardcoded configuration values. If no match is found, the loader exits immediately, preventing execution in sandbox environments and confirming the highly targeted nature of this campaign.
Multi-Stage Payload Delivery
The PassiveNeuron infection chain follows a complex four-stage loading process. After the first-stage loader validates the target machine, it loads a second-stage DLL from disk with file sizes exceeding 60 MB.
This loader opens a text file containing Base64-encoded and AES-encrypted data with the third-stage loader. The third-stage payload launches a fourth-stage shellcode loader inside legitimate processes like WmiPrvSE.exe or msiexec.exe, created in suspended mode.
The Neursite backdoor represents the most potent final-stage implant, featuring modular capabilities for system reconnaissance, process management, lateral movement, and file operations.
Attribution analysis points toward Chinese-speaking threat actors, supported by Dead Drop Resolver techniques via GitHub repositories and tactics associated with APT31, APT27, and potentially APT41 groups.
