In a recent disclosure, cybersecurity experts have identified a sophisticated cyber espionage campaign named PassiveNeuron, which has been actively targeting government, financial, and industrial organizations across Asia, Africa, and Latin America. This campaign, first observed by Kaspersky in November 2024, employs advanced malware families known as Neursite and NeuralExecutor to infiltrate and exploit vulnerable systems.
Initial Discovery and Tactics
The PassiveNeuron campaign came to light when Kaspersky detected a series of attacks in June 2024 aimed at government entities in Latin America and East Asia. These attacks utilized previously unseen malware, indicating a high level of sophistication. The threat actors behind PassiveNeuron demonstrated advanced capabilities by leveraging already compromised internal servers as intermediate command-and-control (C2) infrastructures. This strategy allowed them to evade detection and maintain persistent access within the targeted networks.
One of the notable tactics employed by PassiveNeuron is its ability to move laterally through an organization’s infrastructure. The attackers can exfiltrate data and create virtual networks, enabling them to steal files even from machines that are isolated from the internet. This adaptability is facilitated by a plugin-based approach, allowing the attackers to dynamically adjust their methods based on the specific environment they infiltrate.
Continued Activity and Attribution
Following the initial discovery, Kaspersky observed a resurgence of PassiveNeuron infections from December 2024 through August 2025. Despite extensive analysis, the campaign remains unattributed, though certain indicators suggest the involvement of Chinese-speaking threat actors. The lack of definitive attribution underscores the challenges in identifying and mitigating threats posed by advanced persistent threats (APTs).
Infection Vectors and Malware Deployment
In at least one documented incident, the attackers gained initial remote command execution capabilities on a compromised Windows Server machine through Microsoft SQL. The exact method of exploitation remains unclear, but possibilities include brute-forcing administrative account passwords, exploiting SQL injection vulnerabilities in applications running on the server, or leveraging unknown vulnerabilities within the server software itself.
Once access was established, the attackers attempted to deploy an ASPX web shell to execute commands remotely. When this approach failed, they escalated their efforts by delivering advanced implants via DLL loaders placed in the System32 directory. The primary tools used in this phase include:
– Neursite: A custom C++ modular backdoor designed for persistent access and control.
– NeuralExecutor: A bespoke .NET implant capable of downloading and executing additional .NET payloads over various protocols, including TCP, HTTP/HTTPS, named pipes, or WebSockets.
– Cobalt Strike: A legitimate adversary simulation tool repurposed by attackers for malicious activities.
Capabilities of Neursite and NeuralExecutor
Neursite is engineered with an embedded configuration that connects to the C2 server using multiple communication protocols such as TCP, SSL, HTTP, and HTTPS. Its core functionalities include gathering system information, managing running processes, and proxying traffic through other infected machines to facilitate lateral movement within the network. Additionally, Neursite can fetch auxiliary plugins to execute shell commands, manage the file system, and perform TCP socket operations, enhancing its versatility and effectiveness.
NeuralExecutor has evolved over time. Variants identified in 2024 were configured to retrieve C2 server addresses directly from their configuration files. However, more recent versions discovered in 2025 utilize GitHub repositories to obtain C2 server addresses. This method effectively turns the legitimate code hosting platform into a dead drop resolver, complicating detection and mitigation efforts.
Targeting Server Machines
A distinguishing characteristic of the PassiveNeuron campaign is its focus on server machines, particularly those exposed to the internet. These servers are attractive targets for APT groups because they can serve as entry points into target organizations. By compromising these servers, attackers can establish a foothold, move laterally within the network, and exfiltrate sensitive data.
Implications and Recommendations
The PassiveNeuron campaign underscores the evolving nature of cyber threats and the increasing sophistication of APT groups. Organizations, especially those in government, financial, and industrial sectors, must remain vigilant and adopt comprehensive cybersecurity measures to defend against such advanced threats.
Recommendations include:
1. Regular Security Audits: Conduct thorough and regular audits of network infrastructure to identify and remediate vulnerabilities.
2. Strong Authentication Mechanisms: Implement robust authentication protocols, including multi-factor authentication, to prevent unauthorized access.
3. Network Segmentation: Divide networks into segments to limit lateral movement by attackers in case of a breach.
4. Continuous Monitoring: Deploy advanced monitoring tools to detect unusual activities and potential intrusions promptly.
5. Employee Training: Educate staff about phishing attacks and other common vectors used by threat actors to gain initial access.
By adopting these measures, organizations can enhance their resilience against sophisticated cyber espionage campaigns like PassiveNeuron.
