PassiveNeuron is an advanced persistent threat (APT) campaign identified by Kaspersky in late 2024, targeting government, financial, and industrial sectors primarily across Asia, Africa, and Latin America. The threat actors deploy two bespoke malware families: Neursite, a modular C++ backdoor capable of system reconnaissance, process management, proxying traffic, and plugin-based extensions; and NeuralExecutor, a .NET implant designed to download and execute additional payloads over multiple protocols including TCP, HTTP/HTTPS, named pipes, and WebSockets. The campaign also uses Cobalt Strike, a legitimate penetration testing tool often abused by attackers for post-exploitation activities. Initial access appears to be gained through compromised Microsoft SQL Server instances, potentially via brute force attacks, SQL injection vulnerabilities, or unknown server software flaws. The attackers attempt to deploy ASPX web shells but resort to DLL loaders in the System32 directory when unsuccessful. The malware communicates with command-and-control (C2) servers using TCP, SSL, HTTP, and HTTPS protocols, with newer variants employing a dead drop resolver technique via GitHub repositories to retrieve C2 addresses, enhancing stealth. The attackers leverage already compromised internal servers as intermediate C2 nodes, enabling lateral movement and data exfiltration even from isolated machines by creating virtual networks. This plugin-based architecture allows dynamic adaptation to attacker needs, increasing operational flexibility. The campaign has been ongoing since at least June 2024, with renewed infection waves through August 2025. Attribution remains unconfirmed but leans toward Chinese-speaking actors. The focus on server machines, especially those exposed to the internet, underscores the strategic intent to establish persistent footholds within critical infrastructure environments.

For European organizations, the PassiveNeuron campaign represents a significant espionage threat, particularly to government, financial, and industrial sectors that rely heavily on Microsoft SQL Server and maintain internet-facing server infrastructure. Successful compromise could lead to unauthorized access, lateral movement within networks, data exfiltration, and long-term persistence, undermining confidentiality, integrity, and availability of critical systems. The use of advanced evasion techniques such as leveraging compromised internal servers as C2 proxies and dead drop resolvers complicates detection and response efforts. Given Europe's interconnected infrastructure and reliance on digital services, such intrusions could disrupt operations, damage reputations, and expose sensitive information. Although no direct attacks have been reported in Europe yet, the campaign's targeting profile and malware capabilities suggest European entities with similar technological footprints are at risk. The potential for attackers to create virtual networks to access isolated systems further exacerbates the threat, potentially bypassing traditional network segmentation controls.

European organizations should implement targeted hardening of Microsoft SQL Server instances, including enforcing strong, complex passwords and multi-factor authentication to prevent brute force attacks. Regularly patch and update SQL Server software and associated applications to remediate known vulnerabilities and reduce attack surface. Deploy advanced network monitoring and anomaly detection tools capable of identifying unusual lateral movement, proxying behavior, and communications with suspicious external servers, including monitoring for dead drop resolver techniques such as unexpected GitHub repository access. Restrict and segment internal server communications to limit the ability of attackers to create virtual networks and move laterally. Employ application whitelisting and integrity monitoring on critical system directories like System32 to detect unauthorized DLL loader deployments. Conduct regular threat hunting exercises focused on detecting Cobalt Strike usage and bespoke malware indicators. Enhance logging and alerting on web shell deployment attempts, particularly ASPX shells on Windows servers. Finally, establish incident response plans tailored to APT scenarios, including rapid containment and forensic analysis capabilities.