Government, financial, and industrial organizations in Asia, Africa, and Latin America are being targeted by a new campaign called “PassiveNeuron,” according to Kaspersky Lab’s findings.
The cyber espionage campaign was first flagged by a Russian cybersecurity vendor in November 2024, and in June revealed a series of attacks targeting government agencies in Latin America and East Asia using a never-before-seen malware family tracked as Neursite and NeuralExecutor.
He also said the operation demonstrated a high degree of sophistication, with the attackers using previously compromised internal servers as intermediate command and control (C2) infrastructure to fly under the radar.
“Threat actors can move laterally within the infrastructure to steal data, optionally creating virtual networks that allow attackers to steal desired files even from machines isolated from the internet,” Kaspersky noted at the time. “The plugin-based approach allows us to dynamically adapt to the attacker’s needs.”
The company has since stated that a new wave of infections related to PassiveNeuron has been observed since December 2024 and continues until August 2025. Although the cause of this campaign is unknown at this stage, there are some indications that it is the work of Chinese-speaking attackers.
In at least one incident, attackers allegedly obtained initial remote command execution capabilities via Microsoft SQL on a compromised machine running Windows Server. Exactly how this is accomplished is unknown, but the attacker may be brute-forcing administrative account passwords, exploiting SQL injection flaws in applications running on the server, or unidentified vulnerabilities in the server software itself.
Regardless of the method used, the attacker attempted to introduce an ASPX web shell to gain basic command execution functionality. When these efforts failed, the intruder witnessed the delivery of a sophisticated implant via a series of DLL loaders placed in the System32 directory. These include –
Neursite, a custom-built C++ modular backdoor NeuralExecutor, a custom-built .NET implant used to download and execute additional .NET payloads over TCP, HTTP/HTTPS, named pipes, or WebSockets Cobalt Strike, a legitimate adversary simulation tool
Neursite utilizes built-in configuration to connect to C2 servers and uses TCP, SSL, HTTP, and HTTPS protocols for communication. By default, it supports the ability to collect system information, manage running processes, and proxy traffic through other backdoor-infected machines for lateral movement.
The malware also includes components that fetch auxiliary plugins for shell command execution, file system management, and TCP socket manipulation.
Kaspersky also pointed out that the NeuralExecutor variant discovered in 2024 was designed to obtain the C2 server address directly from the configuration, while the artifact discovered this year accesses a GitHub repository to obtain the C2 server address, a technique known as a dead drop resolver technique.
“The PassiveNeuron campaign is unique in that it primarily targets server machines,” researchers Georgy Kucherin and Saurabh Sharma said. “These servers, especially those exposed to the internet, are usually lucrative targets. [advanced persistent threats]This is because it can act as a gateway to the targeted organization. ”
Source link
