Kaspersky’s Global Research and Analysis Team (GReAT) have uncovered an ongoing cyberespionage PassiveNeuron campaign, that targets Windows Server systems in government, financial and industrial organisations across Asia, Africa and Latin America. The activity has been observed since December 2024 and continued through August 2025.
After six months of inactivity, PassiveNeuron has resumed operations, using three main tools – two of which were previously unknown – to gain and maintain access to targeted networks. These tools are: Neursite, a modular backdoor; NeuralExecutor, a .NET-based implant; Cobalt Strike, a penetration testing framework often used by threat actors.
“PassiveNeuron stands out for its focus on compromising servers, which are often the backbone of organisational networks,” said Georgy Kucherin, Security Researcher at GReAT, Kaspersky. “Servers exposed to the Internet are particularly attractive targets for advanced persistent threat (APT) groups, as a single compromised host can provide access to critical systems. It is therefore essential to minimise the attack surface related to them and continuously monitor server applications to detect and stop potential infections.”
The Neursite backdoor can collect system information, manage running processes and route network traffic through compromised hosts, enabling lateral movement within a network. Samples were found communicating with both external command-and-control servers and compromised internal systems.
NeuralExecutor is designed to deliver additional payloads. The implant supports multiple communication methods and can load and execute .NET assemblies received from its command-and-control server.
In samples observed by GReAT, the function names were replaced with strings containing cyrillic characters, apparently introduced intentionally by the attackers. Such artifacts require careful evaluation during attribution, as they may function as false flags designed to misdirect analysts. Based on the tactics, techniques and procedures observed, Kaspersky assesses with low confidence that the campaign is likely associated with a Chinese-speaking threat actor. Earlier in 2024, Kaspersky researchers had already detected activity from PassiveNeuron and described the campaign as exhibiting a high level of sophistication.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
- Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years.
- Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
- For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
- As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform.
More information is available in a report on Securelist.com.
