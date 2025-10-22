High-profile industrial, finance, and government entities in Latin America, Asia, and Africa have had their Windows Servers targeted with several illicit implants as part of the China-linked PassiveNeuron cyberespionage campaign, which has been on and off from June 2024 to August 2025, according to SecurityWeek

Intrusions involved the exploitation of Windows server vulnerabilities, with threat actors targeting Microsoft SQL software to obtain initial remote code execution capabilities in one instance, a report from Kaspersky showed.

Attackers then mostly leveraged a chain of DLL loaders within the System32 directory to facilitate the delivery of the novel custom Neursite and NeuralExecutor payloads, as well as the Cobalt Strike framework.