PassiveNeuron: a sophisticated campaign targeting servers of high-profile organizations

PassiveNeuron is a multi-stage cyberespionage campaign that targeted Windows servers across Asia, Africa, and Latin America from 2024–2025 using novel implants Neursite and NeuralExecutor, Cobalt Strike, DLL loader chains, and SQL-server-based initial access attempts. Analysis ties some TTPs (Dead Drop Resolver via GitHub delimiters, Phantom DLL Hijacking, MAC-based sandbox checks) to Chinese-speaking threat actors, with low confidence; PDB and behavior overlaps also link one dropped DLL to activity noted by Cisco Talos. #Neursite #NeuralExecutor

Keypoints

PassiveNeuron targeted mostly Windows Server machines at government, financial, and industrial organizations across Asia, Africa, and Latin America between 2024 and 2025.
Initial access in at least one case was achieved via Microsoft SQL server abuse, followed by attempts to deploy ASPX web shells (Base64/hex encoding, PowerShell/VBS decoding).
Attackers used multi-stage DLL loader chains (first-stage DLLs placed in System32 to exploit Phantom DLL Hijacking) with artificially inflated file sizes and MAC-based checks to avoid sandboxes.
Three final implants observed: Neursite (C++ modular backdoor), NeuralExecutor (.NET loader for additional assemblies), and Cobalt Strike; Neursite supports TCP/SSL/HTTP/HTTPS C2 and plugin loading.
NeuralExecutor used ConfuserEx obfuscation and in 2025 employed a Dead Drop Resolver technique pulling encoded config from GitHub delimited strings.
Attribution is uncertain but TTPs resemble Chinese-speaking threat actors (e.g., Dead Drop Resolver pattern used by EastWind/APT31/APT27); a dropped imjp14k.dll contained a PDB linked in Cisco Talos reporting on APT41-like activity.
Defensive recommendations emphasize hardening exposed servers, mitigating SQL injection risks, monitoring for web shells, and detecting unusual DLLs in system directories.

MITRE Techniques

[T1210] Exploitation of Remote Services – Attackers gained remote command execution via Microsoft SQL server abuse (“attackers gain initial remote command execution capabilities on the compromised server through the Microsoft SQL software”).
[T1505.003] Server Software Component: Web Shell – Attackers attempted to deploy an ASPX web shell using Base64/hex-encoded payloads decoded by PowerShell or VBS (“They dropped a file containing the Base64-encoded web shell… they dropped a PowerShell script responsible for Base64-decoding the web shell file”).
[T1574.001] DLL Search Order Hijacking (Phantom DLL Hijacking) – First-stage DLLs were placed in System32 with names loaded into svchost.exe or msdtc.exe to ensure persistence (“placing libraries with these names inside the System32 folder makes it possible to automatically ensure persistence… employed Phantom DLL Hijacking technique”).
[T1204.002] User Execution: Malicious File – Attackers used scripts (PowerShell, VBS) to decode and write payloads to disk (“They dropped a PowerShell script responsible for Base64-decoding the web shell file… using a VBS script instead”).
[T1218] Signed Binary Proxy Execution (LOLBins) / Process Injection – Loaders launched or injected payloads into processes like WmiPrvSE.exe or msiexec.exe to run shellcode (“this payload is a DLL as well, responsible for launching a fourth-stage shellcode loader inside another process (e.g. WmiPrvSE.exe or msiexec.exe) which is created in suspended mode”).
[T1036.005] Masquerading: Obfuscated Files or Information – Attackers inflated DLL file sizes with junk overlay bytes to hinder detection and used VMProtect/DLL obfuscation on disk (“these DLL files are… artificially inflated by attackers by adding junk overlay bytes… or with DLL obfuscation on disk with VMProtect”).
[T1037.002] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – First-stage DLLs loaded on startup by normal OS loading of libraries (System32 DLLs auto-loaded into system processes) to ensure persistence (“If present on the file system, these DLLs get automatically loaded on startup… into the svchost.exe process…”).
[T1105] Ingress Tool Transfer – NeuralExecutor can receive and load .NET assemblies from C2, acting as a loader for additional payloads (“the backdoor can receive commands allowing it to load .NET assemblies… receive additional .NET payloads from the network and execute them”).
[T1112] Modify Registry – (Implied sandbox evasion via MAC checks) Environment checks such as MAC address hashing to limit execution to targeted hosts (“loader iterates through a list of installed network adapters, calculating a 32-bit hash of each adapter’s MAC address… designed to ensure that the DLLs get solely launched on the intended victim machine”).
[T1622] Dead Drop Resolver – NeuralExecutor 2025 samples retrieved C2 information from a GitHub-hosted file using delimiters and Base64/AES decoding (“retrieve the contents of a file stored in a GitHub repository… search for two delimiters, wtyyvZQY and stU7BU0R… Base64-decoded and decrypted with AES to obtain the C2 server address”).

Indicators of Compromise

[File Hash] PassiveNeuron loader file – SHA256: 12ec42446db8039e2a2d8c22d7fd2946406db41215f7d333db2f2c9d60c3958b (PassiveNeuron-related loader file).
[File Hash] Malicious DLL – SHA1: 751f47a688ae075bba11cf0235f4f6ee (imjp14k.dll referenced as malicious dropped DLL).
[File Name / Path] System DLLs used for persistence – C:WindowsSystem32wlbsctrl.dll, C:WindowsSystem32TSMSISrv.dll, C:WindowsSystem32oci.dll (first-stage loader placement to exploit Phantom DLL Hijacking).
[File Name] Second-stage DLL examples – elscorewmyc.dll, wellgwlserejzuai.dll (second-stage loaders stored on disk, often >60 MB with junk overlays).
[PDB Path / Build String] PDB string linked to other activity – G:BeeTree(pmrc)SrcDll_3F_imjp14kReleaseDll.pdb (found in imjp14k.dll, referenced in Cisco Talos report related to APT41-like activity).

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print