A sophisticated cyberespionage campaign dubbed PassiveNeuron has emerged from the shadows after months of dormancy, with security researchers uncovering fresh details about its operations and attack methods.
The campaign, first detected in June 2024, has resurfaced with renewed vigor, targeting government, financial and industrial organizations across Asia, Africa and Latin America with previously unknown malware implants.
Security researchers have identified that PassiveNeuron attackers are primarily exploiting Microsoft SQL servers to gain initial access to target networks.
The campaign demonstrates a clear preference for compromising Windows Server machines, leveraging vulnerabilities in SQL software or brute-forcing database administration credentials to execute malicious commands.
Once inside, the attackers deploy ASPX web shells to maintain their foothold, though security solutions have frequently disrupted these early-stage deployment attempts.
The sophisticated nature of the attack becomes apparent when examining the adversary’s persistence. When faced with detection of their web shells, the attackers demonstrated remarkable adaptability, repeatedly modifying their deployment techniques.
They switched between Base64 and hexadecimal encoding, transitioned from PowerShell to VBS scripts, and employed line-by-line writing methods to evade security products.
Custom Malware Arsenal
The PassiveNeuron campaign employs three distinct malicious implants: Neursite, NeuralExecutor, and the commercial Cobalt Strike framework.
Neursite, a custom C++ modular backdoor, stands out as the most sophisticated weapon in the arsenal. The implant features an extensive configuration system that includes multiple C2 servers, HTTP proxy support, and even scheduled operational windows based on specific hours and days of the week.
Its plugin architecture enables attackers to dynamically load additional capabilities for shell command execution, file system management and TCP socket operations.
NeuralExecutor, the second custom implant, is a .NET-based loader protected by the ConfuserEx obfuscator. This tool specializes in receiving and executing additional .NET payloads from command-and-control servers, using multiple communication protocols including TCP, HTTP/HTTPS, named pipes, and WebSockets.
The latest versions discovered in 2025 incorporate the Dead Drop Resolver technique, retrieving C2 addresses from GitHub repositories to complicate detection efforts.
Both implants are deployed through an elaborate chain of DLL loaders, with the first-stage DLLs artificially inflated to over 100 MB in size to hinder analysis.
The malware employs Phantom DLL Hijacking for automatic persistence, placing specially named DLLs in the System32 directory that are automatically loaded during system startup.
Critically, these loaders incorporate MAC address verification checks, ensuring execution only on intended victim machines to prevent sandbox analysis.
While attribution remains challenging due to potential false flags, researchers have identified several indicators pointing toward Chinese-speaking threat actors.
The 2025 NeuralExecutor samples employ a configuration retrieval method from GitHub that closely resembles techniques used in the EastWind campaign, previously linked to APT31 and APT27 groups. Additionally, investigators discovered a malicious DLL with a PDB path referenced in previous reports about APT41 activities.
Interestingly, early 2024 samples contained Russian-language strings reading “Супер обфускатор” or “Super obfuscator,” which researchers treat cautiously as potential false flags. These strings disappeared in 2025 versions, suggesting the attackers may have refined their operational security practices.
Six-Month Silence Broken
After its initial discovery in June 2024, PassiveNeuron went silent for approximately six months before re-emerging in December 2024.
Implementing robust SQL injection defenses, maintaining vigilant monitoring of server applications, and deploying comprehensive web shell detection capabilities are essential steps for defending against PassiveNeuron and similar advanced persistent threats.
This new wave of infections has continued through August 2025, demonstrating the threat actor’s persistence and commitment to their espionage objectives.
The campaign’s targeted nature is evident in its use of MAC address filtering and server-specific deployment strategies, indicating intelligence gathering against specific high-value organizations rather than opportunistic attacks.
Security experts emphasize that organizations must prioritize server protection, particularly for internet-facing machines that serve as potential entry points.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
