PassiveNeuron Cyberespionage Resurfaces: APT Abuses MS SQL Servers to Deploy Stealthy Neursite Backdoor

Kaspersky researchers have uncovered new details about PassiveNeuron, a long-running cyberespionage campaign targeting government, financial, and industrial organizations across Asia, Africa, and Latin America. The campaign—linked with custom implants dubbed “Neursite” and “NeuralExecutor”—has re-emerged after a six-month dormancy, deploying a complex multi-stage infection chain that abuses Microsoft SQL servers as initial entry points.

“Since December 2024, we have observed a new wave of infections related to PassiveNeuron, with the latest ones dating back to August 2025,” Kaspersky stated, noting that this resurgence “shed light on many previously unknown aspects of this campaign.”

Kaspersky’s analysis reveals that attackers initially gained remote command execution on compromised Windows Server machines via Microsoft SQL software. The exact intrusion vector remains unclear, but researchers outline three likely methods: exploitation of SQL server vulnerabilities, SQL injection in web applications, or credential brute-forcing of database administrator accounts.

Once access was achieved, the attackers attempted to deploy an ASPX web shell—but were thwarted by Kaspersky’s detection systems.

“In attempts to evade detection of the web shell, attackers performed its installation in the following manner: dropping Base64-encoded payloads, decoding them via PowerShell or VBS scripts, and repeatedly re-encoding the data.”

When these efforts failed, the adversaries shifted to custom DLL-based loaders—a hallmark of the group’s persistence and technical sophistication.

Over the course of the investigation, Kaspersky identified three implants in PassiveNeuron operations:

• Neursite, a custom C++ modular backdoor for espionage.
• NeuralExecutor, a .NET-based loader for executing secondary payloads.
• Cobalt Strike, used for post-exploitation and lateral movement.

The campaign’s infection chain involves multiple DLL loaders stored in the Windows System32 directory under deceptive names such as wlbsctrl.dll, TSMSISrv.dll, and oci.dll. These files exploit a Phantom DLL Hijacking technique—automatically loading at system startup to maintain persistence.

“Storing DLLs under these paths has been beneficial to attackers, as placing libraries with these names inside the System32 folder makes it possible to automatically ensure persistence,” the report explains. “If present on the file system, these DLLs get automatically loaded on startup.”

Kaspersky noted that these DLLs were artificially inflated to over 100 MB with junk data to hinder detection, and they implemented MAC address checks to ensure execution only on intended victims—an indication of targeted espionage rather than mass exploitation.

The Neursite backdoor stands out as the campaign’s core espionage tool. According to Kaspersky, “Neursite can use the TCP, SSL, HTTP, and HTTPS protocols for C2 communications” and is configured with “a list of C2 servers, HTTP headers, wait times, and even a byte array of operational hours.”

Its command set enables attackers to:

• Retrieve system and network information
• Manage running processes
• Proxy traffic through infected hosts to facilitate lateral movement
• Load supplementary plugins for shell execution, file management, and TCP socket operations

“Such detailed narrowing down of victims implies the adversary’s interest towards specific organizations and once again underscores the targeted nature of this threat,” Kaspersky commented.

The second major component, NeuralExecutor, is a .NET-based implant protected by ConfuserEx obfuscation. It establishes communication via multiple protocols—including HTTP(S), TCP, WebSockets, and named pipes—and downloads new .NET payloads dynamically.

In 2025 variants, Kaspersky discovered that NeuralExecutor retrieves its command-and-control (C2) address from GitHub, employing a Dead Drop Resolver mechanism.

“The new NeuralExecutor samples were designed to retrieve the contents of a file stored in a GitHub repository, and extract a string from it between the delimiters ‘wtyyvZQY’ and ‘stU7BU0R’.”

The extracted data is then Base64-decoded and AES-decrypted to reveal the live C2 server address — a stealthy tactic also observed in Chinese APT campaigns such as EastWind (APT31) and APT27 (Emissary Panda).

Attribution remains complex. Early 2024 samples contained the string “Супер обфускатор” (Russian for “Super obfuscator”), but Kaspersky believes it was a false flag inserted deliberately via the ConfuserEx tool.

More recent indicators, including the GitHub-based C2 technique and a PDB path (“G:\Bee\Tree(pmrc)\…”) referencing a component previously associated with APT41, point toward a Chinese-speaking actor.

Related Posts:

• Kaspersky Uncovers Stealthy Cyberespionage: Russia & Asia Targeted by DLL Hijacking & Social Media C2
• Sophisticated Phishing Campaign Abuses Webflow CDN to Steal Credit Card Data
• Lumma Stealer Resurfaces After Takedown: New Stealth Tactics Target Users via Fake Cracks, CAPTCHAs & GitHub
• Defend Your Cloud: 8220 Gang Targets Linux & Windows
• Kaspersky Report: Criminals earning millions through mining malware