Kaspersky identifies PassiveNeuron сyberespionage сampaign targeting Windows Server machines

After six months of inactivity, PassiveNeuron has resumed operations, using three main tools - two of which were previously unknown - to gain and maintain access to targeted networks.

These tools are:

• Neursite, a modular backdoor; 
• NeuralExecutor, a .NET-based implant; 
• Cobalt Strike, a penetration testing framework often used by threat actors.

The Neursite backdoor can collect system information, manage running processes and route network traffic through compromised hosts, enabling lateral movement within a network. Samples were found communicating with both external command-and-control servers and compromised internal systems.

NeuralExecutor is designed to deliver additional payloads. The implant supports multiple communication methods and can load and execute .NET assemblies received from its command-and-control server.

“PassiveNeuron stands out for its focus on compromising servers, which are often the backbone of organizational networks,” said Georgy Kucherin, GReAT Security Researcher. “Servers exposed to the Internet are particularly attractive targets for advanced persistent threat (APT) groups, as a single compromised host can provide access to critical systems. It is therefore essential to minimize the attack surface related to them and continuously monitor server applications to detect and stop potential infections.”

In samples observed by GReAT, the function names were replaced with strings containing cyrillic characters, apparently introduced intentionally by the attackers. Such artifacts require careful evaluation during attribution, as they may function as false flags designed to misdirect analysts. Based on the tactics, techniques and procedures observed, Kaspersky assesses with low confidence that the campaign is likely associated with a Chinese-speaking threat actor. Earlier in 2024, Kaspersky researchers had already detected activity from PassiveNeuron and described the campaign as exhibiting a high level of sophistication.

More information is available in a report on Securelist.com

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

• Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years.
• Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
• For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response
• In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
• As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform

About the Global Research & Analysis Team

Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware and underground cyber-criminal trends across the world. Today GReAT consists of 35+ experts working globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.