Facebook Linkedin Twitter Instagram Tiktok
Contact Us
Facebook Linkedin Twitter Instagram Tiktok
Contact Us
See All Blogs

Researchers Uncover PassiveNeuron APT’s Stealth Campaign Targeting Servers Globally

PassiveNeuron APT Uncovered – Neursite & NeuralExecutor Malware Target Servers Globally

Latest Cyber Espionage Update

Cyber-security researchers from Kaspersky have disclosed a newly identified advanced persistent threat (APT), tracked as PassiveNeuron, which has been active since at least December 2024 and remains ongoing through August 2025. The campaign has targeted servers in Asia, Africa and Latin America, exploiting high-value infrastructure for data exfiltration. The Hacker News

Key Findings of the PassiveNeuron Campaign

  • PassiveNeuron heavily focuses on server machines, especially those publicly exposed, using them as jumping-off points for deeper network intrusion and lateral movement. The Hacker News
  • Initial access has been achieved in at least one case via a compromised Microsoft SQL Server instance on a Windows server, either through suspected brute-force, SQL injection or an unknown vulnerability. The Hacker News
  • The malware stack employed includes:
    • Neursite: A bespoke C++ modular backdoor that uses TCP, SSL, HTTP(S) communications and supports system-info collection, process control and proxying of infected hosts. The Hacker News
    • NeuralExecutor: A .NET implant used to download additional .NET payloads over TCP, HTTP(S), named pipes or WebSockets, and execute them. The Hacker News
    • Use of legitimate tooling such as Cobalt Strike for advanced operations and obfuscation. The Hacker News
  • In a shift of tactics, recent variants of NeuralExecutor retrieve C2-server addresses from a public GitHub repository — turning the legitimate platform into a “dead-drop resolver” for malicious use. The Hacker News
  • The threat actor uses compromised internal servers as intermediate command-and-control infrastructure, enabling the creation of virtual networks and enabling file theft even from isolated machines. The Hacker News

Why This Campaign Is Significant

  • Stealthy Infrastructure Use: By repurposing already compromised internal servers as C2 nodes, PassiveNeuron obscures traffic sources and evades many standard detections.
  • Server-Focused Targeting: The emphasis on servers exposed to the internet gives access to high value systems and facilitates lateral movement within the victim’s environment.
  • Adaptable Malware Stack: The modular architecture (backdoors + downloaders + C2 retrieval tactics) allows dynamic adaptation of payloads and infrastructure.
  • Wide Geographic Footprint: Targets span Asia, Africa and Latin America, indicating a broad operational reach and potentially strategic intent.
  • Unknown Attribution: While Chinese-speaking activity is suspected, no definitive attribution is public at this stage. The Hacker News

What Organisations Should Do

  1. Audit Public-Facing Servers: Ensure that exposed servers (SQL, IIS, RDP, SMB) are hardened, patched and monitored for anomalous outbound traffic.
  2. Deploy Egress Monitoring & Internal Segmentation: Limit lateral movement by establishing network segmentation and monitoring proxies & tunnels used for proxying infected hosts.
  3. Detect Unusual Downloaders & C2 Patterns: Look for .NET/CLR modules fetching payloads from public repositories, or unusual GitHub-based C2 retrieval behaviour.
  4. Implement Threat Hunting for Proxying Behaviour: Since infected hosts are used as proxies, investigate machines acting as intermediates forwarding traffic to unusual places.
  5. Harden Credentials & Access Controls: Use strong, unique credentials on servers and monitor for brute force attempts, SQL injection patterns or other initial access vectors.
  6. Validate Incident Response Readiness: Given the high level of sophistication, ensure your IR playbook can handle multi-stage intrusions, lateral spreads and custom backdoor implants.

Conclusion

The discovery of PassiveNeuron highlights a rising class of APT campaigns that emphasise server attack paths, internal proxy infrastructure and adaptive malware retrieval mechanisms. Organisations must adapt their defences beyond endpoint protections: focusing on server hardening, network egress control, telemetry for unusual proxy chains and threat hunting across internal machines. Vigilance and proactive modelling of attacker tactics remain essential in 2025.

References

  1. Researchers Identify PassiveNeuron APT Using Neursite and NeuralExecutor Malware – The Hacker News, Oct 22 2025. The Hacker News
  2. A Comprehensive Survey of Advanced Persistent Threat Attribution: Taxonomy, Methods, Challenges and Open Research Problems – arXiv, Sep 2024. arXiv

Latest APT News – BleepingComputer. bleepingcomputer.com

Share on Social:

Facebook
Twitter
LinkedIn

Related Articles and Blogs Available

$599

Full Manage Digital Marketing

Start Now

AI EMPLOYEE

Hire your first AI Employee today. Boost output, automate operations, and drive ROI—no onboarding required.
Start Now

Earn Up to 10% Commission

Earn 10% commission on every premium package sale you prefer. The more clients you bring, tne more you earn.

Become An AI Impact Partner

Arryn.AI BBB Business Review

Get In Touch

Get in Touch for any Information!
Feel free to reach out if you have any questions or need more information about AI marketing agency.

Call Us Now

Create your account

Why delay?

Talk to our Experts | FREE Consultation
No commitment required