"The cyber espionage activity was first flagged by the Russian cybersecurity vendor in November 2024, when it disclosed a set of attacks aimed at government entities in Latin America and East Asia in June, using never-before-seen malware families tracked as Neursite and NeuralExecutor. It also described the operation as exhibiting a high level of sophistication, with the threat actors leveraging already compromised internal servers as an intermediate command-and-control (C2) infrastructure to fly under the radar."
"In at least one incident, the adversary is said to have gained initial remote command execution capabilities on a compromised machine running Windows Server through Microsoft SQL. While the exact method by which this is achieved is not known, it's possible that the attackers are either brute-forcing the administration account password, or leveraging an SQL injection flaw in an application running on the server, or an as-yet-undetermined vulnerability in the server software itself."
Kaspersky flagged PassiveNeuron in November 2024 after identifying June attacks that used previously unseen Neursite and NeuralExecutor malware. The campaign targets government, financial, and industrial organizations across Asia, Africa, and Latin America. Threat actors leverage already-compromised internal servers as intermediate command-and-control infrastructure to evade detection, move laterally, exfiltrate data, and optionally create virtual networks to access machines isolated from the internet. A plugin-based modular design enables dynamic adaptation to attacker needs. Kaspersky observed a fresh wave of infections from December 2024 through August 2025. Some indicators point to Chinese-speaking operators. Attackers attempted remote command execution on Windows Server via Microsoft SQL and tried to deploy an ASPX web shell.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]