Full Report
Government, financial, and industrial organizations located in Asia, Africa, and Latin America are the target of a new campaign dubbed PassiveNeuron, according to findings from Kaspersky. The cyber espionage activity was first flagged by the Russian cybersecurity vendor in November 2024, when it disclosed a set of attacks aimed at government entities in Latin America and East Asia in June, using
Analysis Summary
# Threat Actor: PassiveNeuron APT
## Attribution & Identity
* **Name:** PassiveNeuron APT
* **Attribution:** Currently unattributed, but some signs point towards being the work of Chinese-speaking threat actors.
* **Aliases/Groups:** Described as a new campaign/APT operator by Kaspersky.
## Activity Summary
* **Initial Discovery:** First flagged by Kaspersky in November 2024, reporting attacks aimed at government entities in Latin America and East Asia in June (of an unspecified year, likely 2024 based on context proximity).
* **Campaign Duration:** Observed activity from June, through November 2024, with a fresh wave of infections noted from December 2024 continuing through August 2025.
* **Operational Characteristics:** High level of sophistication, leveraging already compromised internal servers as intermediate Command and Control (C2) infrastructure. They are capable of lateral movement and data exfiltration, even extracting data from internet-isolated machines using optional virtual networks.
* **Focus:** The campaign has been distinctive in primarily targeting server machines exposed to the internet.
## Tactics, Techniques & Procedures
* **Initial Access (Potential):** Gained initial remote command execution on Windows Server via Microsoft SQL, possibly through brute-forcing admin credentials, SQL injection, or an unknown vulnerability, followed by an attempt to deploy an ASPX web shell.
* **Delivery:** Upon failure to deploy the web shell, they delivered advanced implants via a series of DLL loaders placed in the System32 directory.
* **Lateral Movement:** Able to move laterally through the infrastructure.
* **Evasion/C2:** Leveraged compromised internal servers as intermediate C2 infrastructure. Uses a plugin-based approach for dynamic adaptation.
* **Data Exfiltration:** Capable of stealing files of interest from air-gapped systems via virtual networks.
* **Malware Usage:** Deployed bespoke malware families Neursite and NeuralExecutor.
* **Third-Party Tools:** Utilized Cobalt Strike.
* **MITRE ATT&CK IDs:** Not explicitly provided in the text.
## Targeting
* **Sectors:** Government, financial, and industrial organizations.
* **Geography:** Asia, Africa, and Latin America (specifically noted targets in Latin America and East Asia).
* **Victims:** Government entities in Latin America and East Asia.
## Tools & Infrastructure
* **Malware Families:**
* **Neursite:** Bespoke C++ modular backdoor. Uses embedded configuration and protocols (TCP, SSL, HTTP, HTTPS) to communicate with C2. Supports gathering system information, managing processes, proxying traffic, and fetching plugins for command execution, file system management, and socket operations.
* **NeuralExecutor:** Bespoke .NET implant used to download and execute additional .NET payloads over TCP, HTTP/HTTPS, named pipes, or WebSockets.
* **Cobalt Strike:** Legitimate adversary simulation tool used alongside implants.
* **Infrastructure:**
* Uses compromised internal servers for intermediate C2.
* **C2 Resolution Change:** Older variants retrieved C2 addresses from configuration; newer artifacts reach out to a **GitHub repository** to obtain C2 server addresses (used as a dead drop resolver).
## Implications
PassiveNeuron represents a highly sophisticated threat, focusing on critical server infrastructure—often the initial entry point into an organization. Their ability to establish persistence via advanced implants, use compromised internal systems for C2, and potentially exfiltrate data from isolated networks poses a significant risk for espionage and data theft against high-value targets globally.
## Mitigations
* Harden Microsoft SQL Server instances, specifically against brute-force attacks, SQL injection, and ensuring server software is patched to prevent initial remote command execution.
* Monitor System32 directories for unauthorized DLL loader activity.
* Implement strict outbound network controls and monitor for anomalous use of TCP, SSL, HTTP, HTTPS, named pipes, and WebSockets for command and control communications.
* Monitor GitHub usage for unexpected communication fetching configuration or C2 addresses by internal processes.
* Implement robust internal network segmentation and monitoring to detect lateral movement, especially processes utilizing virtual network creation for exfiltration.