A sophisticated cyberespionage campaign dubbed PassiveNeuron has resurfaced with infections targeting government, financial, and industrial organizations across Asia, Africa, and Latin America.
First detected in 2024, the campaign remained dormant for six months before re-emerging in December 2024, with the latest infections observed as recently as August 2025.
The threat involves deploying previously unknown advanced persistent threat implants named Neursite and NeuralExecutor, alongside the Cobalt Strike framework, to compromise Windows Server machines.
The attackers primarily exploit Microsoft SQL servers to gain initial remote command execution on target systems. Once access is obtained through SQL vulnerabilities, injection flaws, or compromised database credentials, threat actors attempt deploying ASPX web shells for sustained access.
However, the deployment has proven challenging, with security solutions frequently blocking their attempts. Attackers have adapted by using Base64 and hexadecimal encoding, switching between PowerShell and VBS scripts, and writing payloads line-by-line to evade detection.
Securelist researchers identified that the campaign employs a sophisticated multi-stage infection chain, with malicious implants loaded through DLL loaders.
The first-stage loaders are strategically placed in the System32 directory with names like wlbsctrl.dll, TSMSISrv.dll, and oci.dll, exploiting the Phantom DLL Hijacking technique to achieve automatic persistence upon startup.
.webp "New PassiveNeuron Attacking Servers of High-Profile Organizations to Implant Malware 3")
These DLLs are artificially inflated to exceed 100 MB by adding junk overlay bytes, making them difficult for security solutions to detect.
The loaders incorporate advanced anti-analysis mechanisms, including MAC address validation to ensure execution only on intended victim machines.
The first-stage loader iterates through installed network adapters, calculating a 32-bit hash of each MAC address and comparing it against hardcoded configuration values.
If no match is found, the loader exits immediately, preventing execution in sandbox environments and confirming the highly targeted nature of this campaign.
Multi-Stage Payload Delivery
The PassiveNeuron infection chain follows a complex four-stage loading process. After the first-stage loader validates the target machine, it loads a second-stage DLL from disk with file sizes exceeding 60 MB.
.webp "New PassiveNeuron Attacking Servers of High-Profile Organizations to Implant Malware 4")
This loader opens a text file containing Base64-encoded and AES-encrypted data with the third-stage loader. The third-stage payload launches a fourth-stage shellcode loader inside legitimate processes like WmiPrvSE.exe or msiexec.exe, created in suspended mode.
The Neursite backdoor represents the most potent final-stage implant, featuring modular capabilities for system reconnaissance, process management, lateral movement, and file operations.
Attribution analysis points toward Chinese-speaking threat actors, supported by Dead Drop Resolver techniques via GitHub repositories and tactics associated with APT31, APT27, and potentially APT41 groups.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
