High-profile industrial, finance, and government entities in Latin America, Asia, and Africa have had their Windows Servers targeted with several illicit implants as part of the China-linked PassiveNeuron cyberespionage campaign, which has been on and off from June 2024 to August 2025, according to SecurityWeek.Intrusions involved the exploitation of Windows server vulnerabilities, with threat actors targeting Microsoft SQL software to obtain initial remote code execution capabilities in one instance, a report from Kaspersky showed.Attackers then mostly leveraged a chain of DLL loaders within the System32 directory to facilitate the delivery of the novel custom Neursite and NeuralExecutor payloads, as well as the Cobalt Strike framework.Further analysis of the Neursite backdoor and NeuralExecutor loader revealed their acquisition of GitHub command-and-control server addresses, which was previously observed with Chinese state-backed threat operations APT27 and APT31, as well as a PDB string linked to APT41, another China-nexus hacking group.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




