PassiveNeuron APT: New Espionage Campaign Targets Global Windows Servers

by ddos · October 25, 2025

Over the past two years, Kaspersky Lab researchers have been tracking a little-known espionage campaign dubbed PassiveNeuron. Initial server compromises of government organizations were observed as early as 2024, yet for a long time the vectors of initial intrusion and the provenance of the malware components remained opaque.

A renewed surge of activity, detected from December 2024 through August 2025, broadened the campaign’s footprint to state, financial, and industrial targets across Asia, Africa, and Latin America. These fresh incidents allowed analysts to fill gaps in the technical narrative and draw closer to identifying the campaign’s likely origins.

The vast majority of compromised hosts ran Windows Server. In one incident, adversaries gained remote access via Microsoft SQL vulnerabilities; while the precise initial access vector could not always be ascertained, such servers are commonly breached through SQL engine flaws, SQL injection in web applications, or brute-forcing database administrator credentials. Once afforded remote command execution, attackers attempted to install an ASPX web shell, though a host protection product blocked that attempt.

In response, the attackers iterated their techniques: switching web shell encodings from Base64 to hexadecimal, replacing PowerShell payloads with VBScript and writing scripts line-by-line to evade detection—measures that, however, were also intercepted. They then progressed to a more elaborate multi-stage module loader architecture.

Analysts identified three principal classes of malicious components across different phases of the intrusion: a bespoke modular platform Neursite (written in C++), a .NET loader called NeuralExecutor, and the widely abused Cobalt Strike framework. All campaigns exhibited chained DLL loaders, invoked sequentially.

The initial stage involved planting a DLL in a Windows system directory whose filename mimicked legitimate components, enabling automatic execution through Phantom DLL Hijacking. File sizes were artificially inflated with junk data to hinder discovery. On execution, the DLL enumerated MAC addresses of all network adapters and proceeded only if a hardcoded MAC matched—an anti-sandboxing measure ensuring the payload ran only on the intended target. Successive loader tiers were then activated: decrypting payloads and injecting shellcode into processes such as WmiPrvSE.exe, culminating in an unconventional in-memory executable format for the main implant.

The most capable tool observed, Neursite, featured granular C2 configuration: lists of endpoints, proxy settings, custom headers, timing intervals, and even scheduled activity windows. It supported TCP, SSL, HTTP, HTTPS, and an option to await inbound connections. Neursite provided file management, command execution, socket operations, and could proxy traffic—enabling lateral movement within victim networks.

The NeuralExecutor implant functioned as a .NET loader, protected by the ConfuserEx obfuscator, capable of communications over TCP, WebSocket, named pipes and HTTP(S). Its role was to receive and execute additional .NET payloads retrieved from the command server.

Attribution is complicated by deliberate false flags. Early NeuralExecutor builds contained Russian-language strings such as “Супер обфускатор,” which were later stripped, while newer variants adopted a Dead Drop Resolver technique—fetching configuration blobs from GitHub using unique delimiter strings and decrypting them with AES. This dead-drop pattern has been noted in operations attributed to EastWind, associated with APT31 and APT27.

Further circumstantial evidence bolstering a China-linked hypothesis included the discovery of a malicious library imjp14k.dll on an infected host; its build path mirrored artifacts cited in Cisco Talos reports on APT41, and the DLL’s behavior aligned with those documented patterns.

Although definitive attribution remains elusive, the confluence of techniques and recurring operational traits permit a cautious assessment pointing toward Sinitic-language operators. The campaign is sharply focused on server-side infrastructure—a classic APT objective—exploiting weak web defenses, SQL injection vectors, and fragile protections against web shells to establish persistent footholds.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal