{"id":23467,"date":"2025-12-25T08:00:05","date_gmt":"2025-12-25T01:00:05","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=23467"},"modified":"2026-01-20T10:35:48","modified_gmt":"2026-01-20T03:35:48","slug":"https-fpt-is-com-en-wp-admin-post-new-php","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/https-fpt-is-com-en-wp-admin-post-new-php\/","title":{"rendered":"PassiveNeuron \u2013 a mysterious APT campaign targeting global industrial infrastructure"},"content":{"rendered":"<h1 id=\"heading-overview\" class=\"permalink-heading\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Overview<\/strong><\/span><\/h1>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">A recent campaign has been discovered targeting Windows Servers in government, financial, and industrial organizations in Asia, Africa, and Latin America. This campaign was detected by\u00a0<strong>Kaspersky<\/strong>\u00a0and named\u00a0<strong>PassiveNeuron.<\/strong>\u00a0The campaign was first discovered in 2024, then paused for about 6 months, and resumed from December 2024 to at least August 2025.<\/span><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">The main targets of these attackers are Windows Servers that frequently run services like MS SQL. Here, they insert backdoors and upload payloads, gather information, and lay the groundwork for further attacks. In the campaign, new\u00a0<strong>implants (specialized malware)<\/strong>\u00a0were discovered, which had not been recorded before.<\/span><\/p>\n<h1 id=\"heading-main-impact\" class=\"permalink-heading\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Main Impact<\/strong><\/span><\/h1>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>System Intrusion and Control<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Gain control of servers<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Establish C2 (Command &amp; Control) channels<\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Information Leakage, Theft, and Manipulation<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Steal sensitive data<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Manipulate and destroy data<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Move laterally within the internal network<\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Espionage and Long-term Threats<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Gather intelligence<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Build a &#8220;foothold&#8221; for future attacks<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Affect reputation and legal standing<\/span><\/li>\n<\/ul>\n<h1 id=\"heading-campaign-details\" class=\"permalink-heading\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Campaign Details<\/strong><\/span><\/h1>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">First, we need to go over the initial context of this campaign. During the investigation and handling of incidents related to machines infected with\u00a0<strong>PassiveNeuron<\/strong>\u00a0in both 2024 and 2025, analysts found that most of the target machines were running Windows Server. Specifically, in this campaign, the attackers gained initial remote command execution on compromised servers through Microsoft SQL software. The attackers have three methods to exploit these SQL servers:<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Exploit vulnerabilities in the server software itself.<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Exploit SQL vulnerabilities in applications running on the server.<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Access the database administrator account.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">To avoid web shell detection, the attackers installed them using the following methods:<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Drop a file containing a Base64-encoded web shell into the system.<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Remove the PowerShell script responsible for decoding the Base64 web shell file.<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Launch a PowerShell script to attempt to write the decoded web shell payload into the file system.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/12\/anh-1-1766594423.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23468\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/12\/anh-1-1766594423.png\" alt=\"A\u0309nh 1 1766594423\" width=\"1280\" height=\"324\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/12\/anh-1-1766594423.png 1280w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/12\/anh-1-1766594423-700x177.png 700w\" sizes=\"(max-width: 1280px) 100vw, 1280px\" \/><\/a><br \/>\n<\/span><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">As mentioned, the attackers will carry out the campaign in three stages:<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Initial intrusion stage.<\/strong><\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Deploying implants and malicious payloads.<\/strong><\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Implants and tools used.<\/strong><\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">In the first stage &#8211; initial intrusion, the attackers will target SQL servers, possibly by exploiting SQL server vulnerabilities, SQL injection, or gaining SQL admin credentials to execute arbitrary commands. Once they have execution rights, the attackers will deploy a\u00a0<em>web shell<\/em>\u00a0(such as an ASPX file) for remote access.<\/span><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">After the initial intrusion into the system, the attackers will deploy\u00a0<strong>implants and malicious payloads.<\/strong>\u00a0You might wonder,\u00a0<strong>what is an implant?<\/strong>\u00a0In this campaign, the attackers use many of them. An\u00a0<strong>implant<\/strong>\u00a0is a\u00a0<strong>malicious component (malware)<\/strong>\u00a0that is\u00a0<strong>\u201cimplanted\u201d<\/strong>\u00a0into the victim&#8217;s system to\u00a0<strong>maintain access<\/strong>,\u00a0<strong>gather information<\/strong>, or\u00a0<strong>execute remote commands<\/strong>. Simply put, an \u201cimplant\u201d is\u00a0<strong>a special type of backdoor.<\/strong>\u00a0Experts have noted that three implants were used:<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Neursite:<\/strong>\u00a0A backdoor written in C++ with modular capabilities, process management, proxy traffic through the infected machine, and plugin loading to support functions like shell commands, file system management, and TCP socket.<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>NeuralExecutor:<\/strong>\u00a0A loader written in .NET, supporting multiple communication protocols and loading and executing .NET assemblies sent from the command-and-control (C&amp;C) server.<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Cobalt Strike:<\/strong>\u00a0A commercial red-teaming tool, used here by the attackers as part of the payload.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/12\/anh-2-1766594496.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23469\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/12\/anh-2-1766594496.png\" alt=\"A\u0309nh 2 1766594496\" width=\"800\" height=\"698\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/12\/anh-2-1766594496.png 800w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/12\/anh-2-1766594496-700x611.png 700w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Implants are usually loaded through a DLL loader chain. These DLL files are placed in the\u00a0<strong>C:\\Windows\\System32<\/strong>\u00a0directory with fake names like \u201cwlbsctrl.dll\u201d, \u201cTSMSISrv.dll\u201d, \u201coci.dll\u201d to exploit DLL hijacking techniques or ensure they load at system startup.<\/span><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Immediately after, the attackers will extract local credentials from memory, look for misconfigurations, or exploit internal vulnerabilities to escalate privileges to admin or domain admin. Once they have the credentials, they will move to other hosts or abuse remote services (SMB, WMI, RDP) to deploy loaders and implants on other servers to expand their reach.<\/span><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Of course, in any campaign, the attackers will still make C2 connections to gather important data (DB dumps, config files), package it, and send it out.<\/span><\/p>\n<h1 id=\"heading-recommendations\" class=\"permalink-heading\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Recommendations<\/strong><\/span><\/h1>\n<ol>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Access Control<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Limit servers accessible from the Internet<\/strong>:<\/span>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Only allow access to services that are truly necessary (e.g., ports 443, 1433).<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Use a\u00a0<strong>VPN or Zero Trust Gateway<\/strong>\u00a0to hide administrative services from the Internet.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Set ACL (Access Control List)<\/strong>\u00a0for SQL Server, IIS, or RDP \u2014 only accept specific trusted IPs or subnets.<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Disable or remove<\/strong>\u00a0any unused services (IIS sample pages, SQL Browser, SMBv1, Telnet, old FTP).<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Updates and Patching<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Maintain a regular patching cycle (at least monthly).<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Automatically check for security patches using WSUS or Ansible\/Puppet.<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">For SQL Server: always apply the latest\u00a0<strong>Cumulative Updates (CU)<\/strong>\u00a0to prevent RCE exploits (such as CVE-2023-21529, CVE-2024-30097).<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Privilege Management and Enforcement<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Run SQL\/IIS services under a\u00a0<strong>non-Administrator account<\/strong>.<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Enable\u00a0<strong>Windows Defender Exploit Guard<\/strong>\u00a0(or equivalent) to block DLL injection and memory tampering.<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Apply\u00a0<strong>AppLocker or WDAC (Windows Defender Application Control)<\/strong>\u00a0to only allow signed or whitelisted files to run.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Training and Operational Policies<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Train the operations team on:<\/span>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Detecting signs of server intrusion.<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">How to check for web shells, process chains.<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Procedures for isolating and reporting incidents.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Establish\u00a0<strong>internal server security policies<\/strong>, including:<\/span>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Minimum configuration (security baseline).<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Regular log review procedures (at least once a week).<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Semi-annual security assessment mechanisms..<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h1 id=\"heading-conclusion\" class=\"permalink-heading\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Conclusion<\/strong><\/span><\/h1>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">The\u00a0<strong>PassiveNeuron<\/strong>\u00a0campaign is a clear warning that servers\u2014especially Windows servers and SQL Servers\u2014remain the\u00a0<strong>number one target<\/strong>\u00a0for sophisticated APT campaigns, not just &#8220;endpoints.&#8221; Targeting servers allows attackers to penetrate deeply, maintain long-term access, and gather large amounts of information.<\/span><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">With signs pointing to a Chinese-speaking group and the use of new techniques (Neursite, NeuralExecutor, dead-drop via GitHub), this campaign should be considered a real threat by government organizations, financial institutions, and industries in all regions, including Vietnam.<\/span><\/p>\n<h1 id=\"heading-ioc\" class=\"permalink-heading\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>IOC<\/strong><\/span><\/h1>\n<ol>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>FIle Hash<\/strong><\/span><\/li>\n<\/ol>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">751f47a688ae075bba11cf0235f4f6ee<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">12ec42446db8039e2a2d8c22d7fd2946<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">406db41215f7d333db2f2c9d60c3958b<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">44a64331ec1c937a8385dfeeee6678fd<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">8dcf258f66fa0cec1e4a800fa1f6c2a2<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">d587724ade76218aa58c78523f6fa14e<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">f806083c919e49aca3f301d082815b30<\/span><\/li>\n<\/ul>\n<h2 id=\"heading-references\" class=\"permalink-heading\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>References<\/strong><\/span><\/h2>\n<ol>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/opentip.kaspersky.com\/f806083c919e49aca3f301d082815b30\/results?icid=gl_sl_opentip_sm-team_6bf7b46e7b929a05&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener nofollow\">Government,<\/a>\u00a0<a href=\"https:\/\/opentip.kaspersky.com\/751f47a688ae075bba11cf0235f4f6ee\/results?icid=gl_sl_opentip_sm-team_d79412667fa405bf&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener nofollow\">Indu<\/a><a href=\"https:\/\/www.securityweek.com\/government-industrial-servers-targeted-in-china-linked-passiveneuron-campaign\/\" target=\"_blank\" rel=\"noopener nofollow\">strial Servers Targeted in China-Linked &#8216;PassiveNeuron&#8217; Campaign &#8211; SecurityWeek<\/a><\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/securelist.com\/passiveneuron-campaign-with-apt-implants-and-cobalt-strike\/117745\/\" target=\"_blank\" rel=\"noopener nofollow\">Cyberespionage campaign PassiveNeuron targets machines running Windows Server | Securelist<\/a><\/span><\/li>\n<\/ol>\n","protected":false},"author":21,"featured_media":23616,"parent":0,"template":"","nang_luc":[790],"danh_muc_goc_nhin_so":[789],"dich_vu":[712],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-23467","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","danh_muc_goc_nhin_so-expert-sharing","dich_vu-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/23467","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/23616"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=23467"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=23467"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=23467"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=23467"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=23467"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=23467"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=23467"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=23467"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}