A threat actor has been targeting high-profile government, finance, and industrial organizations in Asia, Africa, and Latin America with multiple implants, Kaspersky reports.
The infection campaign, dubbed PassiveNeuron, has been ongoing for at least two years. After being detailed in June 2024, the attacks stopped for six months, but resumed in December 2024 and continued up to at least August 2025.
As part of the campaign, the threat actor mainly focuses on machines running Windows Server, obtaining remote code execution (RCE) for the deployment of web shells, followed by various implants.
In one incident, the attackers abused Microsoft SQL for the execution of an ASPX web shell. After their attempts were blocked, they attempted to deploy more sophisticated implants.
Over the past two years, Kaspersky identified three implants used in the PassiveNeuron campaign, namely Neursite (a custom C++ modular backdoor), NeuralExecutor (a custom .NET implant), and the Cobalt Strike framework.
“While we saw different combinations of these implants deployed on targeted machines, we observed that in the vast majority of cases, they were loaded through a chain of DLL loaders,” Kaspersky explains.
The DLLs were placed in the System32 directory, ensuring persistence and their automatic execution at system startup. They are also large – over 100 MB – being artificially inflated to evade detection.
The Neursite backdoor uses multiple protocols for command-and-control (C&C) communication and can retrieve system information, manage running processes, and proxy traffic via other infected machines.
It also supports loading additional plugins that allow attackers to execute shell commands, manage file systems, and perform various TCP socket operations.
NeuralExecutor is a custom loader that has support for multiple communication protocols, and which was designed to load .NET assemblies based on commands received from the C&C.
“Both Neursite and NeuralExecutor, the two custom implants we found to be used in the PassiveNeuron campaign, have never been observed in any previous cyberattacks,” Kaspersky says.
Recent Neursite and NeuralExecutor samples were seen obtaining C&C server addresses from GitHub, a technique popular among Chinese-speaking threat actors (such as APT31 and APT27) and a PDB string in one of the analyzed DLLs points to APT41, which led Kaspersky to attribute the PassiveNeuron campaign to a Chinese-speaking APT.
“The PassiveNeuron campaign has been distinctive in the way that it primarily targets server machines. These servers, especially the ones exposed to the internet, are usually lucrative targets for APTs, as they can serve as entry points into target organizations,” Kaspersky notes.
Related: SecurityWeek to Host 2025 ICS Cybersecurity Conference October 27-30 in Atlanta
Related: Myanmar Military Shuts Down Major Cybercrime Center and Detains Over 2,000 People
Related: Slow and Steady Security: Lessons From the Tortoise and the Hare
Related: Chinese APT ‘Phantom Taurus’ Targeting Organizations With Net-Star Malware
