Cybersecurity analysts at Kaspersky have identified a sophisticated cyber espionage operation called PassiveNeuron, targeting government, financial, and industrial sectors across Asia, Africa, and Latin America. The campaign uses two previously unseen malware families named Neursite and NeuralExecutor, indicating a well-organized threat group focused on stealthy, long-term access.
Discovery of PassiveNeuron Campaign
Kaspersky first detected traces of this operation in November 2024, during investigations into multiple intrusions against government entities in Latin America and East Asia. The attackers deployed custom malware families and used compromised internal servers as intermediate command-and-control (C2) nodes to evade detection.
According to researchers, this tactic allowed the attackers to move laterally across systems while maintaining persistence within the targeted networks.
“The threat actor can move laterally through infrastructure and exfiltrate data by creating virtual networks. These networks let attackers steal sensitive files even from systems isolated from the internet,” Kaspersky explained.
New Wave of Attacks (2024–2025)
Since December 2024, Kaspersky has tracked a renewed wave of infections associated with PassiveNeuron, continuing until August 2025. While attribution remains unconfirmed, technical clues suggest possible involvement of Chinese-speaking threat actors.
In one observed case, the attackers gained remote command execution on a Windows Server machine through Microsoft SQL. The initial compromise method is still unclear, though researchers suspect password brute-forcing, SQL injection, or an unknown vulnerability in the server application.
Intrusion Chain and Malware Deployment
Once inside, the adversaries attempted to upload an ASPX web shell to gain command-line access. When that failed, they deployed a series of DLL-based malware loaders within the System32 directory, enabling the installation of multiple implants such as:
- Neursite: A custom-built C++ modular backdoor.
- NeuralExecutor: A .NET-based implant capable of downloading and executing additional payloads through TCP, HTTP/HTTPS, named pipes, or WebSockets.
- Cobalt Strike: A legitimate red-team tool often abused by threat actors.
Technical Breakdown of Neursite and NeuralExecutor
Neursite uses an embedded configuration to connect to its C2 infrastructure through TCP, SSL, HTTP, or HTTPS. It can collect system information, manage processes, proxy traffic for lateral movement, and download plugins for extra functions like:
- Shell command execution
- File system control
- TCP socket operations
Meanwhile, NeuralExecutor has evolved over time. Early 2024 versions fetched their C2 server addresses directly from the configuration file. However, more recent samples use a GitHub repository to retrieve updated C2 addresses, a stealthy method known as a “dead drop resolver” technique.
Target Focus and Purpose
Kaspersky’s researchers Georgy Kucherin and Saurabh Sharma emphasized that the PassiveNeuron operation mainly focuses on compromising server machines.
“Servers exposed to the internet are particularly valuable targets for advanced persistent threat (APT) actors,” they noted. “They provide access points to critical systems and sensitive data within target organizations.”
