• Home
• Technology

Kaspersky’s Global Research and Analysis Team (GReAT) has identified a sophisticated cyberespionage campaign, dubbed PassiveNeuron, targeting Windows Server machines within government, financial, and industrial organizations across Asia, Africa, and Latin America.

According to Kaspersky researchers, the campaign has been active since December 2024, continuing through August 2025, and recently resurfaced after a six-month hiatus. The threat actors behind PassiveNeuron are leveraging a toolkit comprising three main components — two of which were previously unknown — to infiltrate and persist within targeted networks. These include Neursite, a modular backdoor; NeuralExecutor, a .NET-based implant; and Cobalt Strike, a widely known penetration testing framework frequently misused by threat actors.

> “PassiveNeuron stands out for its focus on compromising servers, which are often the backbone of organizational networks,” said Georgy Kucherin, Security Researcher at GReAT, Kaspersky. “Servers exposed to the Internet are particularly attractive targets for advanced persistent threat (APT) groups, as a single compromised host can provide access to critical systems. It is therefore essential to minimize their attack surface and continuously monitor server applications to detect and stop potential infections.”

Advanced Toolset and False Flag Artifacts

Kaspersky’s analysis revealed that Neursite is capable of collecting system information, managing processes, and routing network traffic through compromised hosts — allowing lateral movement within an organization’s infrastructure. The malware communicates with both external command-and-control (C2) servers and compromised internal systems to maintain persistence.

Meanwhile, NeuralExecutor serves as a loader for additional payloads. It supports multiple communication methods and can execute .NET assemblies received from its C2 server, providing attackers with flexible control over infected environments.

Interestingly, researchers noted that function names contained Cyrillic strings, likely inserted intentionally by the attackers to mislead attribution efforts. Based on observed tactics, techniques, and procedures (TTPs), Kaspersky assesses with low confidence that the operation may be linked to a Chinese-speaking threat actor.

Kaspersky had previously tracked PassiveNeuron activity in early 2024, identifying it as a highly sophisticated APT campaign targeting high-value infrastructure.

Recommendations for Organizations

To reduce the risk of compromise from known or emerging APT threats, Kaspersky recommends organizations take the following proactive measures:

Enhance threat intelligence capabilities: Equip SOC teams with up-to-date intelligence via the Kaspersky Threat Intelligence Portal, which provides over two decades of data and insights on global cyberattacks.

Invest in team training: Strengthen cybersecurity expertise with Kaspersky online training, developed by GReAT experts.

Implement endpoint detection and response (EDR): Use advanced tools such as Kaspersky Endpoint Detection and Response to detect, investigate, and remediate incidents in real time.

Adopt network-level defense solutions: Deploy the Kaspersky Anti Targeted Attack Platform for early detection of sophisticated network intrusions.

Build a security-aware culture: Educate employees about phishing and social engineering risks through the Kaspersky Automated Security Awareness Platform.

Further details about the PassiveNeuron campaign are available on Securelist.com.