A new cyber-espionage operation named PassiveNeuron has triggered alarms in the cybersecurity world. According to a report by Kaspersky, this campaign has been active across regions in Asia, Africa, and Latin America, targeting government, financial, and industrial organizations. Its main goal: to infiltrate corporate networks using advanced techniques and previously unknown malware.
A Silent but Sophisticated Attack
The first signs of PassiveNeuron emerged in November 2024, when Kaspersky detected attacks against government entities in Latin America and East Asia. Investigators discovered two previously unknown malware families, Neursite and NeuralExecutor, both showing uncommon abilities to remain hidden and adapt to the victims’ environment.
What makes this campaign especially dangerous is its stealth level. The attackers leveraged already compromised internal servers to set up their command-and-control (C2) infrastructure, enabling them to operate undetected for months.
“The attacker is able to move laterally within the infrastructure and extract information—even from machines isolated from the internet,” Kaspersky noted.
“The modular system allows each attack to be tailored to the group's objectives.”
This strategy—typical of Advanced Persistent Threats (APTs)—suggests significant resources and a well-planned offensive behind PassiveNeuron.
A New Wave of Attacks
Between December 2024 and August 2025, Kaspersky observed a new surge of infections linked to this operation. While no group has officially claimed responsibility, some indicators suggest links to Chinese-speaking threat actors.
In one analyzed case, the attackers executed remote commands on a Windows server using Microsoft SQL Server. While the access method remains uncertain, experts outline three potential vectors:
- Brute-force attacks against admin passwords
- SQL injection in a vulnerable application
- Exploitation of an unknown zero-day in the server software
After gaining initial access, the attackers attempted to deploy an ASPX web shell, enabling command execution via browser. When that failed, they switched to a more advanced method using malicious DLL-loaded implants placed in the system folder.
Read more: Cyberespionage Against Executives and Politicians
The Attack Toolkit: Neursite and NeuralExecutor
Kaspersky’s analysis revealed three main tools used in the campaign:
- Neursite: A modular C++ backdoor designed to collect system data, control processes, and tunnel between infected devices—enabling stealthy lateral movement.
- NeuralExecutor: A .NET-based implant capable of downloading and executing payloads via TCP, HTTP/HTTPS, named pipes, or WebSockets. It can receive commands directly or through other infected hosts.
- Cobalt Strike: A legitimate security testing tool frequently repurposed by cybercriminals for automated persistence and lateral movement.
Neursite uses internal configs to securely connect to C2 servers over SSL/HTTPS, operating even in air-gapped networks. Its plugin architecture allows downloading new modules to execute commands, manipulate files, or open TCP tunnels.
NeuralExecutor, originally configured with hardcoded C2 addresses, has evolved: recent versions fetch C2 info from GitHub, cleverly using the legitimate platform as a covert “command hub.”
Strategic Targeting: Servers as the Entry Point
What sets PassiveNeuron apart is its focus on internet-exposed servers rather than regular workstations. These machines often host critical data or act as entry points to internal systems.
“Servers are high-value APT targets,” Kaspersky researchers explain.
“They enable lateral movement, data collection, and long-term persistence without detection.”
This approach echoes state-sponsored espionage tactics—focused not on destruction, but long-term, invisible data exfiltration.
A Complex and Adaptive Infrastructure
PassiveNeuron’s infrastructure is decentralized and resilient. It can operate across:
- Compromised internal servers within the victim’s network
- Encrypted traffic disguised as legitimate network activity
- Public platforms like GitHub to receive instructions
This makes detection and blocking extremely difficult without disrupting normal operations. Additionally, the malware can create private virtual networks within the target environment—allowing data exfiltration even from isolated machines.
You might also be interested in: How to Detect and Remove Spyware Apps on Android
How to Defend Against These Threats
Attacks like PassiveNeuron highlight the need for proactive, segmented cybersecurity strategies. At TecnetOne, we recommend:
- Harden exposed servers: Apply critical patches, enforce strong passwords, and monitor inbound/outbound traffic continuously.
- Implement network segmentation: Prevent lateral movement if a server is compromised.
- Monitor logs and detection systems: Anomalous access or lateral movement are red flags.
- Adopt Zero Trust: Don’t trust any device or user by default, even inside your network.
- Audit external dependencies: Ensure your third-party services and cloud providers follow strict security protocols.
- Train your team: Many APTs begin with a single compromised account or phishing email.
What’s Next: Espionage Powered by AI
The PassiveNeuron case reflects the evolution of cyber espionage. Advanced groups now combine AI, automation, and abuse of legitimate infrastructure to stay hidden.
These hybrid operations are especially dangerous—mixing technology, social engineering, and trust manipulation in systems once considered secure.
Conclusion
PassiveNeuron confirms a trend we’ve observed at TecnetOne: modern attacks go beyond data theft. They aim to control networks from the inside, using legitimate tools and invisible tactics.
Digital espionage is no longer a state-only issue. Today, any organization with exposed servers or strategic data could be a target.
Defense isn’t just about technology—it’s about visibility, intelligence, and continuous prevention. In this landscape, cyber resilience must be built daily, anticipating threats before they reach your door.
