Researchers from Kaspersky Lab analyzed a new wave of PassiveNeuron infections that lasted from December 2024 to August 2025. The attacks affected government, financial, and industrial organizations in Asia, Africa, and Latin America. A distinctive feature of the campaign is its focus primarily on Windows Server operating systems.
In particular, in one case the attackers were able to remotely execute commands on a compromised server via Microsoft SQL.
The PassiveNeuron campaign was first discovered in June 2024. After a six-month lull, the attackers resumed their activity in December 2024. This time, to obtain and maintain access to target networks, they used three main tools: the Cobalt Strike framework and two previously unknown ones — the Neursite backdoor and the NeuralExecutor implant.
Neursite is a modular backdoor capable of collecting system information, managing running processes, and routing network traffic through compromised hosts to enable lateral movement across the network. Samples have been identified that communicate both with external command-and-control servers and with compromised internal systems.
In turn, NeuralExecutor is a customized .NET implant that supports multiple communication methods and can download and execute .NET assemblies received from a command-and-control server.
As a result of studying the new campaign, experts were able to determine the order of the initial compromise and make assumptions about the attribution of these attacks.
For example, in the observed samples, function names were replaced with strings containing Cyrillic characters, which appear to have been intentionally introduced by the attackers.
Such artifacts require careful evaluation during attribution. Attackers can use them to mislead researchers. Based on the analysis of the tactics, techniques, and procedures of the PassiveNeuron campaign, researchers currently attribute the activity to a Chinese-speaking group, albeit with a low level of confidence.
“In the new PassiveNeuron campaign, the attackers focus on compromising servers, which often form the backbone of corporate networks. Such targets, especially those exposed to the internet, are of interest to groups conducting sophisticated targeted cyberattacks, since a single compromised host can provide access to critical systems. It is crucial to minimize the potential attack surface and continuously monitor server applications to detect and prevent potential infections,” comments Georgy Kucherin, Kaspersky GReAT expert.