Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

PassiveNeuron

PassiveNeuron is a server-focused cyber espionage campaign active since 2024 that targets Internet-exposed Windows Server installations. Observed initial access centers on Microsoft SQL Server-related activity, with reported or suspected methods including credential brute-force, credential stuffing, and SQL injection, and the campaign is described as opportunistic and multi-vector rather than tied to a single confirmed public CVE. The intrusion chain uses custom malware including the Neursite backdoor (custom C/C++) and the NeuralExecutor loader (custom .NET), with Cobalt Strike also used for command-and-control management. Confirmed persistence includes Phantom DLL Hijacking, in which unusually large or renamed DLLs are placed in System32 or service DLL paths so they load at service startup. Web shells were observed in some cases only as attempted installation vectors and were often blocked or removed before full deployment, so they should not be treated as universally successful persistence. Variants observed in 2025 used GitHub as a dead-drop resolver, with loaders retrieving C2 configuration or next-stage URLs from public GitHub content. Reported targets include government, industrial, and financial organizations across Asia, Africa, and Latin America. High-confidence indicators and defensive priorities mentioned in the content include anomalous DLL artifacts in System32 or service DLL paths, Cobalt Strike beacon activity, and unusual outbound HTTP(S) traffic to GitHub or other public code-hosting platforms from affected servers.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
socradar blogNews
Oct 30, 2025
PassiveNeuron Cyber Espionage Campaign: What Cybersecurity Leaders Must Know

PassiveNeuron is a targeted cyber espionage campaign that infiltrates Internet-exposed Windows Server environments, primarily via opportunistic SQL-related attacks. It uses custom loaders and implants (such as Neursite and NeuralExecutor), Cobalt Strike for C2, and persistence via Phantom DLL Hijacking. The campaign is characterized by stealth, persistence, and the use of public developer ecosystems (like GitHub) for C2 configuration retrieval.

Read more
dark readingNews
Oct 29, 2025
Malicious NPM Packages Disguised With 'Invisible' Dependencies

‘PassiveNeuron’ Cyber Spies Target Orgs With Custom Malware

Read more
ctoatncsc substackNews
Oct 25, 2025
CTO at NCSC Summary: week ending October 26th

An intrusion campaign/implant set attributed with low confidence to a Chinese-speaking threat actor; observed targeting government, financial, and industrial organizations across multiple regions, with reported use of additional tooling (including Cobalt Strike) in the campaign context.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.