Kaspersky flags new global cyberespionage wave

Kaspersky's Global Research and Analysis Team (GReAT) has identified an ongoing cyberespionage campaign, dubbed PassiveNeuron that targets Windows Server systems in government, financial and industrial organisations across Asia, Africa and Latin America.

According to a statement, the activity, first detected in December 2024, persisted through August 2025. And after a six-month lull, the campaign has resumed operations, deploying three main tools — two previously unknown — to infiltrate and maintain access to targeted networks.

according to the statement, these include Neursite, a modular backdoor; NeuralExecutor, a .NET-based implant; and Cobalt Strike, a widely used penetration testing framework that is often exploited by threat actors.

"PassiveNeuron stands out for its focus on compromising servers, which are often the backbone of organisational networks," Georgy Kucherin, a security researcher at Kaspersky said. "It is essential to minimise the attack surface and continuously monitor server applications to detect and stop infections."

The Neursite backdoor enables attackers to collect system information, control processes and move laterally across networks by routing traffic through compromised hosts. NeuralExecutor can deliver additional payloads and execute .NET assemblies from command-and-control servers.