Kaspersky Uncovers PassiveNeuron Cyberespionage Campaign Targeting Key Sectors

Cybersecurity firm Kaspersky has revealed details of an active and evolving cyberespionage campaign, dubbed PassiveNeuron, targeting Windows Server systems in government, financial, and industrial organizations across Asia, Africa, and Latin America. The operation, tracked by Kaspersky’s Global Research and Analysis Team (GReAT), has been ongoing since December 2024 and resurfaced in August 2025 after several months of dormancy.

A Sophisticated Global Campaign

The PassiveNeuron Cyberespionage  campaign employs a stealthy and modular approach, leveraging three core tools, including two newly discovered ones, to gain persistence and move laterally within compromised networks.
The tools include:

• Neursite: a modular backdoor that collects system information, manages running processes, and reroutes network traffic through hijacked servers.

• NeuralExecutor: a .NET-based implant capable of downloading and executing additional payloads from remote command-and-control (C2) servers.

• Cobalt Strike: a legitimate penetration testing toolkit that’s often repurposed by advanced persistent threat (APT) groups for post-exploitation.

“These tools are specifically designed to compromise servers, the backbone of organizational networks,” said Georgy Kucherin, Security Researcher at GReAT.

Servers exposed to the Internet are particularly attractive to attackers because a single breach can provide access to critical systems. Reducing attack surfaces and continuously monitoring server applications is essential to stop potential infections.

-Georgy Kucherin

Technical Findings and Attribution Challenges

According to Kaspersky’s technical report, Neursite and NeuralExecutor exhibit complex modular structures and are capable of communicating with both external and internal systems, indicating a hybrid command structure designed for resilience.

Interestingly, the researchers noted that function names within NeuralExecutor were replaced with Cyrillic characters, possibly as false flags to obscure the attackers’ true origins. While linguistic artifacts might suggest links to Eastern Europe, Kaspersky’s analysis indicates with low confidence that the campaign may be associated with a Chinese-speaking threat actor.

The activity mirrors previous PassiveNeuron behavior first spotted by Kaspersky in early 2024, which was also marked by high technical sophistication and operational discipline, typical of state-aligned espionage groups.

ALSO READ: Pakistan Introduces Mandatory Cybersecurity Certification to Strengthen Digital Sovereignty

Targets and Impact

PassiveNeuron primarily targets Windows Server environments, focusing on government institutions, financial systems, and industrial control networks, areas where server-level compromise can yield extensive access to sensitive data and network operations.

Analysts believe that the campaign’s multi-regional footprint, spanning Asia, Africa, and Latin America may reflect efforts to gather geopolitical intelligence or monitor international financial flows.

This resurgence after six months of inactivity shows that the group behind PassiveNeuron is adapting its tactics while keeping its infrastructure active.

-Kaspersky report

Defensive Recommendations

To protect against such targeted cyberespionage campaigns, Kaspersky recommends a multi-layered cybersecurity strategy:

1. Equip SOC teams with up-to-date threat intelligence (TI) to stay ahead of emerging tactics and indicators of compromise.

2. Use Endpoint Detection and Response (EDR) solutions, such as Kaspersky Endpoint Detection and Response, for early detection and containment.

3. Adopt network-level defense tools, like the Kaspersky Anti Targeted Attack Platform, to identify advanced threats at early stages.

4. Invest in employee cybersecurity training, especially against phishing and social engineering attacks — common entry points for such campaigns.

5. Regularly update and patch server systems to minimize exploitable vulnerabilities.

Kaspersky’s report also emphasizes the importance of security awareness programs and continuous upskilling for IT and cybersecurity teams to counter the evolving sophistication of APT groups.

A Persistent Threat Landscape

The discovery of PassiveNeuron highlights the increasing complexity of cyberespionage operations that blend new tools with old infrastructures, making attribution and mitigation more challenging.

As global digital systems expand, critical infrastructure and government networks remain prime targets for long-term intelligence-gathering efforts. The report concludes that while PassiveNeuron may not yet have achieved large-scale disruption, its persistence indicates a broader shift toward stealthier, server-focused espionage operations.

More details on Kaspersky’s findings can be found in the full report on Securelist.com.