Government, financial, and industrial organizations located in Asia, Africa, and Latin America are the target of a new campaign dubbed PassiveNeuron, according to findings from Kaspersky.
The cyber espionage activity was first flagged by the Russian cybersecurity vendor in November 2024, when it disclosed a set of attacks aimed at government entities in Latin America and East Asia in June, using never-before-seen malware families tracked as Neursite and NeuralExecutor.
It also described the operation as exhibiting a high level of sophistication, with the threat actors leveraging already compromised internal servers as an intermediate command-and-control (C2) infrastructure to fly under the radar.
“The threat actor is able to move laterally through the infrastructure and exfiltrate data, optionally creating virtual networks that allow attackers to steal files of interest even from machines isolated from the internet,” Kaspersky noted at the time. “A plugin-based approach provides dynamic adaptation to the attacker’s needs.”
Since then, the company said it has observed a fresh wave of infections related to PassiveNeuron since December 2024 and continuing all the way through August 2025. The campaign remains unattributed at this stage, although some signs point to it being the work of Chinese-speaking threat actors.
In at least one incident, the adversary is said to have gained initial remote command execution capabilities on a compromised machine running Windows Server through Microsoft SQL. While the exact method by which this is achieved is not known, it’s possible that the attackers are either brute-forcing the administration account password, or leveraging an SQL injection flaw in an application running on the server, or an as-yet-undetermined vulnerability in the server software itself.
Regardless of the method used, the attackers attempted to deploy an ASPX web shell to gain basic command execution capabilities. Failing in these efforts, the intrusion witnessed the delivery of advanced implants via a series of DLL loaders placed in the System32 directory. These include –
- Neursite, a bespoke C++ modular backdoor
- NeuralExecutor, a bespoke .NET implant used for download additional .NET payloads over TCP, HTTP/HTTPS, named pipes, or WebSockets and execute them
- Cobalt Strike, a legitimate adversary simulation tool
Neursite utilizes an embedded configuration to connect to the C2 server and uses TCP, SSL, HTTP and HTTPS protocols for communications. By default, it supports the ability to gather system information, manage running processes, and proxy traffic through other machines infected with the backdoor to enable lateral movement.
The malware also comes fitted with a component to fetch auxiliary plugins to achieve shell command execution, file system management, and TCP socket operations.
Kaspersky also noted that NeuralExecutor variants spotted in 2024 were designed to retrieve the C2 server addresses straight from the configuration, whereas artifacts found this year reach out to a GitHub repository to obtain the C2 server address, effectively turning the legitimate code hosting platform into a dead drop resolver.
“The PassiveNeuron campaign has been distinctive in the way that it primarily targets server machines,” researchers Georgy Kucherin and Saurabh Sharma said. “These servers, especially the ones exposed to the internet, are usually lucrative targets for [advanced persistent threats], as they can serve as entry points into target organizations.”
