Kaspersky’s Global Research and Analysis Team (GReAT) have uncovered an ongoing cyberespionage PassiveNeuron campaign, that targets Windows Server systems in government, financial and industrial organisations across Asia, Africa and Latin America.
The activity has been observed since December 2024 and continued through August 2025.
After six months of inactivity, PassiveNeuron has resumed operations, using three main tools – two of which were previously unknown – to gain and maintain access to targeted networks. These tools are: Neursite, a modular backdoor; NeuralExecutor, a .NET-based implant; Cobalt Strike, a penetration testing framework often used by threat actors.
“PassiveNeuron stands out for its focus on compromising servers, which are often the backbone of organisational networks,” says Georgy Kucherin, security researcher at GReAT, Kaspersky. “Servers exposed to the Internet are particularly attractive targets for advanced persistent threat (APT) groups, as a single compromised host can provide access to critical systems. It is therefore essential to minimise the attack surface related to them and continuously monitor server applications to detect and stop potential infections.”
The Neursite backdoor can collect system information, manage running processes and route network traffic through compromised hosts, enabling lateral movement within a network. Samples were found communicating with both external command-and-control servers and compromised internal systems.
NeuralExecutor is designed to deliver additional payloads. The implant supports multiple communication methods and can load and execute .NET assemblies received from its command-and-control server.
In samples observed by GReAT, the function names were replaced with strings containing cyrillic characters, apparently introduced intentionally by the attackers. Such artifacts require careful evaluation during attribution, as they may function as false flags designed to misdirect analysts.
Based on the tactics, techniques and procedures observed, Kaspersky assesses with low confidence that the campaign is likely associated with a Chinese-speaking threat actor.
Earlier in 2024, Kaspersky researchers had already detected activity from PassiveNeuron and described the campaign as exhibiting a high level of sophistication.