Web Desk
Islamabad: Kaspersky’s Global Research and Analysis Team (GReAT) has uncovered an ongoing cyberespionage campaign named PassiveNeuron. It targets Windows Server systems in government, financial, and industrial organizations across Asia, Africa, and Latin America. The activity began in December 2024 and continued through August 2025.
Resumption of Operations and Toolset
After six months of inactivity, PassiveNeuron resumed operations. It now uses three main tools—two of which were previously unknown—to gain and maintain access to targeted networks. These tools include Neursite, a modular backdoor; NeuralExecutor, a .NET-based implant; and Cobalt Strike, a penetration testing framework often used by threat actors.
Server-Focused Threats and Security Risks
“PassiveNeuron stands out for its focus on compromising servers, which are often the backbone of organizational networks,” said Georgy Kucherin, Security Researcher at GReAT, Kaspersky. “Servers exposed to the Internet attract APT groups. A single compromised host can provide access to critical systems. Organizations must minimize the attack surface and monitor server applications to detect and stop infections.”
Capabilities of Neursite and NeuralExecutor
Neursite collects system information, manages running processes, and routes network traffic through compromised hosts. This enables lateral movement within a network. Samples communicated with both external command-and-control servers and compromised internal systems.
NeuralExecutor delivers additional payloads. It supports multiple communication methods and can load and execute .NET assemblies received from its command-and-control server.
Attribution Challenges and Threat Actor Profile
In observed samples, attackers replaced function names with strings containing Cyrillic characters. These artifacts may serve as false flags to mislead analysts. Based on observed tactics and techniques, Kaspersky assesses with low confidence that a Chinese-speaking threat actor is likely behind the campaign.
Earlier Detection and Campaign Sophistication
Kaspersky researchers detected PassiveNeuron activity earlier in 2024. They described the campaign as highly sophisticated.
Recommendations for Cybersecurity Preparedness
To avoid targeted attacks, Kaspersky recommends giving SOC teams access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal offers cyberattack data and insights gathered over 20 years.
Organizations should upskill cybersecurity teams with Kaspersky’s online training developed by GReAT experts. For endpoint-level detection and incident response, implement EDR solutions like Kaspersky Endpoint Detection and Response.
Network-Level Defense and Awareness Training
Adopt corporate-grade security solutions that detect advanced threats early, such as the Kaspersky Anti Targeted Attack Platform. Since many attacks begin with phishing or social engineering, introduce security awareness training. Teach practical skills through platforms like the Kaspersky Automated Security Awareness Platform.
More information is available in a report on Securelist.com.
