Sophisticated ‘PassiveNeuron’ Espionage Campaign Targets Global Enterprises with Custom Malware

Global Cyberespionage Operation Resurfaces with Enhanced Capabilities

A sophisticated cyberespionage campaign known as “PassiveNeuron” has reemerged with new malware implants targeting government agencies, industrial organizations, and financial institutions across Asia, Africa, and Latin America. The campaign, initially identified in June 2024 by Kaspersky researchers, has continued its operations through 2025 with enhanced techniques and expanded targeting., according to recent developments

Global Cyberespionage Operation Resurfaces with Enhanced Capabilities
Advanced Malware Arsenal Deployed
SQL Server Infrastructure Under Attack
Attribution Challenges and False Flags
Technical Evolution Points to Chinese Actors
Malware Capabilities Analysis
Defensive Recommendations for Organizations

Advanced Malware Arsenal Deployed

The threat actors behind PassiveNeuron are deploying two previously unseen custom malware implants alongside the commercial penetration testing tool Cobalt Strike. Neursite, a sophisticated C++ modular backdoor, and NeuralExecutor, a loader designed to execute additional .NET payloads, form the core of their offensive toolkit., according to market insights

According to Kaspersky security experts Georgy Kucherin and Saurabh Sharma, “These servers, especially the ones exposed to the Internet, are usually lucrative targets for APTs, as they can serve as entry points into target organizations.” The strategic focus on Windows-based servers suggests the operation aims for maximum organizational access and data exfiltration capabilities., as comprehensive coverage

SQL Server Infrastructure Under Attack

Analysis of infection patterns reveals a particular focus on Microsoft SQL Server environments. Attackers are gaining initial remote command execution through compromised SQL Servers, though the exact initial compromise vectors remain unclear. Researchers suggest multiple potential entry points, including:

Exploitation of server vulnerabilities
SQL injection attacks against web applications
Credential brute-forcing against database administration accounts
Malicious SQL query execution through compromised accounts

Attribution Challenges and False Flags

The attribution puzzle surrounding PassiveNeuron demonstrates the increasing sophistication of state-sponsored threat actors. Initial Russian language clues in the 2024 samples—specifically function names prefixed with “Супер обфускатор” (Super obfuscator)—appeared to point toward Russia-backed actors., according to market developments

However, researchers determined these were likely deliberate false flags intended to mislead investigators. “Threat actors may insert strings in languages they do not speak to create false flags intended to confuse researchers and prompt them to make errors of judgement when trying to attribute the threat,” explained Kucherin and Sharma., according to industry experts

Technical Evolution Points to Chinese Actors

The campaign’s technical evolution between 2024 and 2025 provides stronger evidence for Chinese attribution. While the 2024 samples retrieved command-and-control (C2) server addresses directly from configuration files, the 2025 variants employed the Dead Drop Resolver technique using GitHub to host C2 infrastructure information., according to market developments

This specific method of obtaining C2 server addresses from GitHub, using delimiter sequences, is particularly prevalent among Chinese-speaking threat actors, especially those associated with previous campaigns like EastWind. Combined with overall tactics, techniques, and procedures (TTPs), researchers attribute PassiveNeuron to Chinese-speaking threat actors with “a low level of confidence.”

Malware Capabilities Analysis

The Neursite backdoor demonstrates particularly advanced capabilities, supporting multiple communication protocols including TCP, SSL, HTTP, and HTTPS for C2 communications. The malware can operate in active mode—connecting directly to C2 servers—or passive mode, waiting for incoming connections through specified ports.

Default commands enable attackers to:

Retrieve comprehensive system information
Manage running processes and services
Proxy traffic through other infected machines
Load supplementary plugins for expanded functionality

The NeuralExecutor loader complements this with support for TCP, HTTP/HTTPS, named pipes, and WebSockets communication methods, primarily functioning to retrieve and execute additional .NET payloads from the network.

Defensive Recommendations for Organizations

Given the campaign’s focus on high-value servers, organizations should implement comprehensive protection strategies. Key defensive measures include:

Application Security: Secure web applications against SQL injection vulnerabilities through proper input validation and parameterized queries
Server Hardening: Reduce attack surface by disabling unnecessary services and implementing principle of least privilege
Credential Protection: Enforce strong password policies and multi-factor authentication for database administration accounts
Monitoring: Implement robust monitoring for suspicious SQL queries and unexpected network connections
Web Shell Detection: Deploy mechanisms to detect and prevent web shell installation and usage

The persistence and sophistication of the PassiveNeuron campaign underscores the ongoing challenge that advanced cyberespionage operations pose to global organizations. As Kaspersky’s detailed analysis reveals, understanding the technical evolution and attribution complexities of such campaigns is crucial for developing effective defensive strategies.