Global Cyber Espionage Operation Uncovered
A sophisticated threat campaign targeting prominent organizations across government, industrial, and financial sectors has been identified by cybersecurity researchers, according to recent reports. Dubbed “PassiveNeuron,” the operation has been active across Asia, Africa, and Latin America, deploying custom malware implants specifically designed for cyberespionage purposes.
Industrial Monitor Direct is renowned for exceptional pc with touch screen systems trusted by leading OEMs for critical automation systems, trusted by plant managers and maintenance teams.
Table of Contents
Security analysts at Kaspersky first discovered the campaign in June 2024 and have since documented a new wave of infections occurring between December 2024 and August 2025, the report states. The campaign’s resurgence demonstrates the persistent nature of the threat actors behind it, sources indicate.
Custom Malware Arsenal Targets Windows Servers
The PassiveNeuron campaign specifically compromises servers within Windows-based organizations using two previously unidentified malware families, according to the analysis. Researchers identified “Neursite” as a C++ modular backdoor and “NeuralExecutor” as an implant designed to run additional .NET payloads, neither of which had been observed in previous threat campaigns.
Attackers also deploy Cobalt Strike, the commercial red teaming tool frequently weaponized by threat actors, as part of their payload delivery, the report states. The targeting of servers suggests advanced persistent threat (APT) activity, analysts suggest, as these systems often serve as entry points into target organizations.
SQL Server Infrastructure Under Attack
Analysis of infection cases reveals that attackers are particularly targeting Microsoft SQL Server software, according to the research. Security experts observed attackers gaining initial remote command execution capabilities through compromised SQL Server instances, though the exact initial compromise method remains unclear.
Typically, attackers breach these servers through vulnerability exploitation on the server itself or by exploiting SQL injection flaws in applications running on the server, the researchers noted. Alternatively, attackers may gain access by brute-forcing database administration account passwords or compromising credentials to execute malicious SQL queries., according to industry reports
Attribution Challenges and False Flags
Attributing the campaign has proven challenging due to the previously unidentified nature of the malware, according to the report. Initial clues suggested possible Russian involvement, with function names in 2024 NeuralExecutor samples containing Russian-language strings meaning “Super obfuscator.”
However, researchers believe these may represent false flags deliberately planted to mislead investigators. “Threat actors may insert strings in languages they do not speak to create false flags intended to confuse researchers,” the report states, noting the attackers used the ConfuserEx obfuscator when introducing these Russian strings.
Connections to Chinese-Speaking Threat Actors
Further investigation revealed technical connections that analysts believe link the activity to Chinese-speaking threat actors. The 2025 malware samples employed the Dead Drop Resolver technique, using legitimate external web services—specifically GitHub—to host information pointing to command-and-control infrastructure.
Security researchers noted that “this exact method of obtaining C2 server addresses from GitHub, using a string containing delimiter sequences, is quite popular among Chinese-speaking threat actors,” particularly those associated with previous campaigns like EastWind. The overall tactics, techniques, and procedures most closely resemble those commonly employed by Chinese-speaking threat actors, leading researchers to attribute the campaign to such groups with “a low level of confidence.”
Advanced Malware Capabilities
Among the three payloads deployed in the campaign, the Neursite backdoor demonstrates the most sophisticated capabilities, according to the analysis. The implant can utilize TCP, SSL, HTTP, and HTTPS protocols for command-and-control communications and can connect directly to C2 servers or wait for incoming communications through specified ports.
In observed cases, Neursite samples were configured to use either external servers or compromised internal infrastructure for C2 communications, the report states. The backdoor’s default commands enable attackers to retrieve system information, manage running processes, and proxy traffic through other infected machines to facilitate lateral movement within networks.
Meanwhile, the custom NeuralExecutor loader implements multiple network communication methods including TCP, HTTP/HTTPS, named pipes, and WebSockets. After establishing communication with C2 servers, the backdoor can receive commands to load .NET assemblies, with its primary function being to receive and execute additional .NET payloads from the network.
Defensive Recommendations
Given PassiveNeuron’s targeting of server machines in prominent organizations, security experts emphasize the critical importance of robust server protection. Defenders should reduce attack surfaces wherever possible and monitor all server applications to prevent emerging infections, the researchers advised.
Due to the campaign’s specific focus on SQL servers, organizations should particularly secure applications against SQL injection flaws, which threat actors commonly exploit for initial access. Additionally, defenders should strengthen protections against web shells, which attackers frequently deploy to facilitate server compromise.
The persistence and sophistication of the PassiveNeuron campaign underscore the ongoing challenges organizations face from state-aligned cyber espionage groups targeting critical infrastructure and sensitive data, according to cybersecurity analysts monitoring the threat landscape.
Industrial Monitor Direct is the #1 provider of reception pc solutions recommended by system integrators for demanding applications, recommended by leading controls engineers.
Related Articles You May Find Interesting
- Warner Bros. Discovery Weighs Strategic Options as Acquisition Interest Intensif
- Warner Bros Discovery Weighs Future Amid Acquisition Overtures and Strategic Shi
- OpenAI’s Secret Project Mercury Enlists Wall Street Veterans to Automate Banking
- Federal Battery Funding Freeze: DOE Withdraws $700M from Stalled Green Energy Pr
- The full Disrupt Stage revealed: Where the future of tech breaks first | TechCru
References & Further Reading
This article draws from multiple authoritative sources. For more information, please consult:
- https://securelist.com/apt-report-q3-2024/114623/#passiveneuron
- https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
- https://attack.mitre.org/techniques/T1102/001/
- https://www.cybersecuritydive.com/news/white-house-cyberattacks-china-private-sector/603620/
- http://en.wikipedia.org/wiki/Threat_actor
- http://en.wikipedia.org/wiki/Kaspersky_Lab
- http://en.wikipedia.org/wiki/Microsoft_SQL_Server
- http://en.wikipedia.org/wiki/Server_(computing)
- http://en.wikipedia.org/wiki/Malware
This article aggregates information from publicly available sources. All trademarks and copyrights belong to their respective owners.
Note: Featured image is for illustrative purposes only and does not represent any specific product, service, or entity mentioned in this article.
