Kaspersky has identified a sustained cyber espionage campaign called PassiveNeuron targeting government, financial and industrial organisations in Asia, Africa and Latin America, the company said.
The activity was first flagged in November 2024 when Kaspersky described attacks in June that used previously unseen malware families tracked as Neursite and NeuralExecutor.
Kaspersky said it has observed a fresh wave of infections from December 2024 through August 2025. The company said the actors have used already compromised internal servers as intermediate command and control infrastructure, a plugin-based architecture and the ability to create virtual networks to move laterally and exfiltrate data.
In at least one incident attackers obtained remote command execution on a Windows Server via Microsoft SQL and attempted to deploy an ASPX web shell. When that failed, they delivered advanced implants using DLL loaders placed in the System32 directory, including Neursite, NeuralExecutor and the legitimate tool Cobalt Strike.
Neursite is a modular C++ backdoor that uses an embedded configuration to reach command and control servers over TCP, SSL, HTTP and HTTPS and includes capabilities for system information gathering, process management, proxying and fetching auxiliary plugins for shell commands and file system operations. Kaspersky researchers also observed that NeuralExecutor variants from 2024 read C2 addresses from their configuration, while samples seen in 2025 use a GitHub repository as a dead drop resolver.
The campaign remains unattributed, though the report notes some signs point to Chinese speaking actors. Researchers Georgy Kucherin and Saurabh Sharma highlighted that the operation has primarily targeted server machines, which can serve as entry points into organisations.