A sophisticated cyberespionage campaign dubbed PassiveNeuron has resurfaced with infections targeting government, financial, and industrial organizations across Asia, Africa, and Latin America.

First detected in 2024, the campaign remained dormant for six months before re-emerging in December 2024, with the latest infections observed as recently as August 2025.

The threat involves deploying previously unknown advanced persistent threat implants named Neursite and NeuralExecutor, alongside the Cobalt Strike framework, to compromise Windows Server machines.

The attackers primarily exploit Microsoft SQL servers to gain initial remote command execution on target systems. Once access is obtained through SQL vulnerabilities, injection flaws, or compromised database credentials, threat actors attempt deploying ASPX web shells for sustained access.

However, the deployment has proven challenging, with security solutions frequently blocking their attempts. Attackers have adapted by using Base64 and hexadecimal encoding, switching between PowerShell and VBS scripts, and writing payloads line-by-line to evade detection.

Securelist researchers identified that the campaign employs a sophisticated multi-stage infection chain, with malicious implants loaded through DLL loaders.

The first-stage loaders are strategically placed in the System32 directory with names like wlbsctrl.dll, TSMSISrv.dll, and oci.dll, exploiting the Phantom DLL Hijacking technique to achieve automatic persistence upon startup.

These DLLs are artificially inflated to exceed 100 MB by adding junk overlay bytes, making them difficult for security solutions to detect.

The loaders incorporate advanced anti-analysis mechanisms, including MAC address validation to ensure execution only on intended victim machines.

The first-stage loader iterates through installed network adapters, calculating a 32-bit hash of each MAC address and comparing it against hardcoded configuration values.

If no match is found, the loader exits immediately, preventing execution in sandbox environments and confirming the highly targeted nature of this campaign.

Multi-Stage Payload Delivery

The PassiveNeuron infection chain follows a complex four-stage loading process. After the first-stage loader validates the target machine, it loads a second-stage DLL from disk with file sizes exceeding 60 MB.

This loader opens a text file containing Base64-encoded and AES-encrypted data with the third-stage loader. The third-stage payload launches a fourth-stage shellcode loader inside legitimate processes like WmiPrvSE.exe or msiexec.exe, created in suspended mode.

The Neursite backdoor represents the most potent final-stage implant, featuring modular capabilities for system reconnaissance, process management, lateral movement, and file operations.

Attribution analysis points toward Chinese-speaking threat actors, supported by Dead Drop Resolver techniques via GitHub repositories and tactics associated with APT31, APT27, and potentially APT41 groups.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New PassiveNeuron Attacking Servers of High-Profile Organizations to Implant Malware appeared first on Cyber Security News.

Since its emergence in August 2022, Lumma Infostealer has rapidly become a cornerstone of malware-as-a-service platforms, enabling even unskilled threat actors to harvest high-value credentials.

Delivered primarily via phishing sites masquerading as cracked software installers, the malicious payload is encapsulated within a Nullsoft Scriptable Install System (NSIS) package designed to evade signature-based detection.

Upon execution, fragmented AutoIt modules are reassembled in memory, with obfuscated shellcode loaded through process hollowing.

This technique replaces a legitimate process with the stealer, camouflaging its activity under the guise of a benign executable.

Genians analysts identified Lumma Infostealer following a surge in reports of credential theft in September 2025. Victims across both consumer and enterprise environments reported unauthorized access to web sessions, remote desktop services, and digital asset wallets.

The stolen browser cookies and account tokens facilitate seamless session hijacking, bypassing multi-factor authentication measures in many cases.

Cryptocurrency wallets saved in local databases, as well as VPN and RDP credentials stored in configuration files, are exfiltrated via encrypted channels to command-and-control (C2) domains hosted on compromised cloud infrastructure.

The multifaceted nature of these thefts amplifies the potential for identity fraud, financial loss, and deeper network intrusions.

Although Lumma Infostealer often serves as an initial foothold for ransomware and other follow-on attacks, its standalone impact is far-reaching.

Victims may remain unaware of the breach until secondary actions—such as unauthorized wire transfers or illicit account listings on underground forums—bring the compromise to light.

The modular design of the malware facilitates continuous updates, with developers pushing regular patches to evade new detection signatures.

Strengthening endpoint detection and response (EDR) systems with behavior-based analytics and threat intelligence integration is critical to intercept the attack chain before data reaches the attacker’s C2 infrastructure.

Infection Mechanism and Evasion Tactics

At the heart of Lumma’s infection strategy is a layered installer that bypasses conventional scanners. When a user executes the downloaded NSIS installer, it drops a ZIP archive into the Temp directory.

A command-line script (Contribute.docx) then invokes extrac32.exe to unpack a disguised Cabinet file.

The extracted components—fragments of an AutoIt script and the AutoIt interpreter—are programmatically merged into a single executable stub.

The following snippet illustrates the process hollowing routine used to inject the final payload:-

; Fragment of AutoIt loader
Run("cmd.exe /c Contribute.docx")
_ConsoleWrite("Launching AutoIt mode...")  
_ProcessCreate("Riding.pif", "", @SystemDir, 0, $pi)  
_WinAPI_WriteProcessMemory($pi.hProcess, $remoteAddr, $shellcode, BinaryLen($shellcode))  
_WinAPI_SetThreadContext($pi.hThread, $context)  
_WinAPI_ResumeThread($pi.hThread)

By verifying the absence of security processes (like SophosHealth, ekrn, AvastUI) with tasklist and findstr, the installer adjusts execution timing and payload placement, slipping past heuristic defenses.

Once injected, the malicious process decrypts its C2 domains—rhussois.su, diadtuky.su, and todoexy.su—and establishes encrypted channels for data exfiltration.

Stolen artifacts include web browser cookies, Telegram session data, cryptocurrency wallet files, and configuration files for VPN and RDP services.

These credentials enable lateral movement and persistent access within victim networks, often without raising immediate alarms.

The sophistication of Lumma Infostealer’s infection mechanism underscores the necessity for continuous monitoring of process injection events, routine auditing of installer behaviors, and enforcement of application allowlisting policies.

Implementing network-level blocks for known C2 domains and employing sandbox detonation for suspicious NSIS packages can further mitigate the threat posed by this stealthy and adaptable infostealer.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Lumma Infostealer Malware Attacks Users to Steal Browser Cookies, Cryptocurrency Wallets and VPN/RDP Accounts appeared first on Cyber Security News.