A newly observed campaign by the PassiveNeuron threat actor underscores a strategic pivot toward server-side targets. According to Kaspersky’s Global Research & Analysis Team, the activity ran from December 2024 through August 2025, striking government, financial, and industrial organizations across Asia, Africa, and Latin America. The distinguishing feature: a sustained focus on Windows Server and other server operating systems, raising the stakes for enterprise backbone infrastructure.
Timeline and scope of the PassiveNeuron campaign
Researchers first noted indications of this activity in June 2024. After a brief lull, operations resumed in December 2024 with an expanded toolset and improved persistence. The breadth of victimology—from public sector agencies to financial services and manufacturing—suggests an emphasis on long-term access, operational agility, and data staging within core enterprise networks.
Initial access via Microsoft SQL and abuse of server components
In several incidents, attackers executed commands on compromised hosts through Microsoft SQL Server, a pattern consistent with abusing built-in database capabilities such as xp_cmdshell or custom CLR assemblies. While specifics differ per case, the objective is consistent: achieve OS-level command execution under database service privileges, enabling persistence and lateral movement. These techniques align with MITRE ATT&CK behaviors for command execution and misuse of server software components, often followed by tunneling and privilege escalation to deepen footholds.
Toolset: Cobalt Strike, Neursite backdoor, and NeuralExecutor .NET implant
The toolchain blends off-the-shelf and bespoke capabilities. PassiveNeuron employed Cobalt Strike for beacons and operator control while deploying two previously unreported tools—Neursite and NeuralExecutor—to reduce detection and tailor post-exploitation.
Neursite: modular backdoor with internal routing and tunneling
Neursite is a modular backdoor designed for system reconnaissance, process manipulation, and traffic tunneling across compromised nodes. Samples communicated with both external C2 servers and already-compromised internal systems, effectively building resilient proxy chains to support stealthy lateral movement and segmented command-and-control inside the perimeter.
NeuralExecutor: flexible .NET implant and on-demand modules
NeuralExecutor is a customized .NET implant supporting multiple communication methods. It can load and run .NET assemblies fetched from C2 on demand, minimizing on-disk artifacts and complicating static detection. This modular delivery approach aligns with modern post-exploitation tradecraft, where behavior-based analytics and memory forensics are essential to detection.
Attribution signals and possible false flags
During analysis, researchers identified function names substituted with Cyrillic strings. Such artifacts can serve as false flags, complicating attribution. Based on the combined TTPs and infrastructure patterns, the activity is cautiously associated with a Chinese-speaking cluster, but confidence remains low. This mirrors a broader industry trend where sophisticated actors obfuscate linguistic and regional traits to hinder reliable sourcing.
Defensive guidance for Windows Server and SQL Server environments
Reduce exposed surface: Apply least-privilege access to Microsoft SQL and other server services; segment networks to isolate critical roles; avoid direct internet exposure for administrative interfaces. For SQL Server, disable xp_cmdshell, restrict external connectivity, enforce IP allowlists, and use strict role-based access control. Microsoft’s guidance recommends disabling potentially dangerous features by default and auditing their use when enabled for business needs.
Enhance detection and response: Deploy EDR/XDR with behavior-based detections for Cobalt Strike-like beacons, anomalous .NET assembly loads, and unauthorized tunneling. Enable SQL auditing—including execution of extended stored procedures—and monitor creation or modification of Windows services and scheduled tasks. Reference MITRE ATT&CK coverage to map detections across command execution, lateral movement, and C2 tactics.
Improve security hygiene and resilience: Maintain rapid patching for OS and database components, enforce MFA for privileged accounts, implement application control, and protect service account credentials (e.g., managed service accounts, credential vaulting). Conduct periodic penetration tests and proactive threat hunting to validate controls against Cobalt Strike beacons, modular backdoors, and .NET implants. Authoritative resources include Microsoft Learn for SQL Server security baselines and MITRE ATT&CK for adversary technique mapping.
Server workloads—especially internet-facing Windows Server roles—remain prime targets because they host sensitive data, run high-privilege services, and often provide a jump point to core business applications. Organizations should pair strict network segmentation and the removal of unsafe database functions with behavior-driven monitoring and regular validation of TTPs associated with PassiveNeuron’s toolkit. Strengthening these fundamentals today reduces the likelihood that tomorrow’s investigation starts on your most critical servers.
