A new cyber-espionage operation named PassiveNeuron has triggered alarms in the cybersecurity world. According to a report by Kaspersky, this campaign has been active across regions in Asia, Africa, and Latin America, targeting government, financial, and industrial organizations. Its main goal: to infiltrate corporate networks using advanced techniques and previously unknown malware.
The first signs of PassiveNeuron emerged in November 2024, when Kaspersky detected attacks against government entities in Latin America and East Asia. Investigators discovered two previously unknown malware families, Neursite and NeuralExecutor, both showing uncommon abilities to remain hidden and adapt to the victims’ environment.
What makes this campaign especially dangerous is its stealth level. The attackers leveraged already compromised internal servers to set up their command-and-control (C2) infrastructure, enabling them to operate undetected for months.
“The attacker is able to move laterally within the infrastructure and extract information—even from machines isolated from the internet,” Kaspersky noted.
“The modular system allows each attack to be tailored to the group's objectives.”
This strategy—typical of Advanced Persistent Threats (APTs)—suggests significant resources and a well-planned offensive behind PassiveNeuron.
Between December 2024 and August 2025, Kaspersky observed a new surge of infections linked to this operation. While no group has officially claimed responsibility, some indicators suggest links to Chinese-speaking threat actors.
In one analyzed case, the attackers executed remote commands on a Windows server using Microsoft SQL Server. While the access method remains uncertain, experts outline three potential vectors:
After gaining initial access, the attackers attempted to deploy an ASPX web shell, enabling command execution via browser. When that failed, they switched to a more advanced method using malicious DLL-loaded implants placed in the system folder.
Read more: Cyberespionage Against Executives and Politicians
Kaspersky’s analysis revealed three main tools used in the campaign:
Neursite uses internal configs to securely connect to C2 servers over SSL/HTTPS, operating even in air-gapped networks. Its plugin architecture allows downloading new modules to execute commands, manipulate files, or open TCP tunnels.
NeuralExecutor, originally configured with hardcoded C2 addresses, has evolved: recent versions fetch C2 info from GitHub, cleverly using the legitimate platform as a covert “command hub.”
What sets PassiveNeuron apart is its focus on internet-exposed servers rather than regular workstations. These machines often host critical data or act as entry points to internal systems.
“Servers are high-value APT targets,” Kaspersky researchers explain.
“They enable lateral movement, data collection, and long-term persistence without detection.”
This approach echoes state-sponsored espionage tactics—focused not on destruction, but long-term, invisible data exfiltration.
PassiveNeuron’s infrastructure is decentralized and resilient. It can operate across:
This makes detection and blocking extremely difficult without disrupting normal operations. Additionally, the malware can create private virtual networks within the target environment—allowing data exfiltration even from isolated machines.
You might also be interested in: How to Detect and Remove Spyware Apps on Android
Attacks like PassiveNeuron highlight the need for proactive, segmented cybersecurity strategies. At TecnetOne, we recommend:
The PassiveNeuron case reflects the evolution of cyber espionage. Advanced groups now combine AI, automation, and abuse of legitimate infrastructure to stay hidden.
These hybrid operations are especially dangerous—mixing technology, social engineering, and trust manipulation in systems once considered secure.
PassiveNeuron confirms a trend we’ve observed at TecnetOne: modern attacks go beyond data theft. They aim to control networks from the inside, using legitimate tools and invisible tactics.
Digital espionage is no longer a state-only issue. Today, any organization with exposed servers or strategic data could be a target.
Defense isn’t just about technology—it’s about visibility, intelligence, and continuous prevention. In this landscape, cyber resilience must be built daily, anticipating threats before they reach your door.