A sophisticated cyberespionage campaign dubbed PassiveNeuron has resurfaced with infections targeting government, financial, and industrial organizations across Asia, Africa, and Latin America.

First detected in 2024, the campaign remained dormant for six months before re-emerging in December 2024, with the latest infections observed as recently as August 2025.

The threat involves deploying previously unknown advanced persistent threat implants named Neursite and NeuralExecutor, alongside the Cobalt Strike framework, to compromise Windows Server machines.

The attackers primarily exploit Microsoft SQL servers to gain initial remote command execution on target systems. Once access is obtained through SQL vulnerabilities, injection flaws, or compromised database credentials, threat actors attempt deploying ASPX web shells for sustained access.

However, the deployment has proven challenging, with security solutions frequently blocking their attempts. Attackers have adapted by using Base64 and hexadecimal encoding, switching between PowerShell and VBS scripts, and writing payloads line-by-line to evade detection.

Securelist researchers identified that the campaign employs a sophisticated multi-stage infection chain, with malicious implants loaded through DLL loaders.

The first-stage loaders are strategically placed in the System32 directory with names like wlbsctrl.dll, TSMSISrv.dll, and oci.dll, exploiting the Phantom DLL Hijacking technique to achieve automatic persistence upon startup.

These DLLs are artificially inflated to exceed 100 MB by adding junk overlay bytes, making them difficult for security solutions to detect.

The loaders incorporate advanced anti-analysis mechanisms, including MAC address validation to ensure execution only on intended victim machines.

The first-stage loader iterates through installed network adapters, calculating a 32-bit hash of each MAC address and comparing it against hardcoded configuration values.

If no match is found, the loader exits immediately, preventing execution in sandbox environments and confirming the highly targeted nature of this campaign.

Multi-Stage Payload Delivery

The PassiveNeuron infection chain follows a complex four-stage loading process. After the first-stage loader validates the target machine, it loads a second-stage DLL from disk with file sizes exceeding 60 MB.

This loader opens a text file containing Base64-encoded and AES-encrypted data with the third-stage loader. The third-stage payload launches a fourth-stage shellcode loader inside legitimate processes like WmiPrvSE.exe or msiexec.exe, created in suspended mode.

The Neursite backdoor represents the most potent final-stage implant, featuring modular capabilities for system reconnaissance, process management, lateral movement, and file operations.

Attribution analysis points toward Chinese-speaking threat actors, supported by Dead Drop Resolver techniques via GitHub repositories and tactics associated with APT31, APT27, and potentially APT41 groups.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New PassiveNeuron Attacking Servers of High-Profile Organizations to Implant Malware appeared first on Cyber Security News.

Since its emergence in August 2022, Lumma Infostealer has rapidly become a cornerstone of malware-as-a-service platforms, enabling even unskilled threat actors to harvest high-value credentials.

Delivered primarily via phishing sites masquerading as cracked software installers, the malicious payload is encapsulated within a Nullsoft Scriptable Install System (NSIS) package designed to evade signature-based detection.

Upon execution, fragmented AutoIt modules are reassembled in memory, with obfuscated shellcode loaded through process hollowing.

This technique replaces a legitimate process with the stealer, camouflaging its activity under the guise of a benign executable.

Genians analysts identified Lumma Infostealer following a surge in reports of credential theft in September 2025. Victims across both consumer and enterprise environments reported unauthorized access to web sessions, remote desktop services, and digital asset wallets.

The stolen browser cookies and account tokens facilitate seamless session hijacking, bypassing multi-factor authentication measures in many cases.

Cryptocurrency wallets saved in local databases, as well as VPN and RDP credentials stored in configuration files, are exfiltrated via encrypted channels to command-and-control (C2) domains hosted on compromised cloud infrastructure.

The multifaceted nature of these thefts amplifies the potential for identity fraud, financial loss, and deeper network intrusions.

Although Lumma Infostealer often serves as an initial foothold for ransomware and other follow-on attacks, its standalone impact is far-reaching.

Victims may remain unaware of the breach until secondary actions—such as unauthorized wire transfers or illicit account listings on underground forums—bring the compromise to light.

The modular design of the malware facilitates continuous updates, with developers pushing regular patches to evade new detection signatures.

Strengthening endpoint detection and response (EDR) systems with behavior-based analytics and threat intelligence integration is critical to intercept the attack chain before data reaches the attacker’s C2 infrastructure.

Infection Mechanism and Evasion Tactics

At the heart of Lumma’s infection strategy is a layered installer that bypasses conventional scanners. When a user executes the downloaded NSIS installer, it drops a ZIP archive into the Temp directory.

A command-line script (Contribute.docx) then invokes extrac32.exe to unpack a disguised Cabinet file.

The extracted components—fragments of an AutoIt script and the AutoIt interpreter—are programmatically merged into a single executable stub.

The following snippet illustrates the process hollowing routine used to inject the final payload:-

; Fragment of AutoIt loader
Run("cmd.exe /c Contribute.docx")
_ConsoleWrite("Launching AutoIt mode...")  
_ProcessCreate("Riding.pif", "", @SystemDir, 0, $pi)  
_WinAPI_WriteProcessMemory($pi.hProcess, $remoteAddr, $shellcode, BinaryLen($shellcode))  
_WinAPI_SetThreadContext($pi.hThread, $context)  
_WinAPI_ResumeThread($pi.hThread)

By verifying the absence of security processes (like SophosHealth, ekrn, AvastUI) with tasklist and findstr, the installer adjusts execution timing and payload placement, slipping past heuristic defenses.

Once injected, the malicious process decrypts its C2 domains—rhussois.su, diadtuky.su, and todoexy.su—and establishes encrypted channels for data exfiltration.

Stolen artifacts include web browser cookies, Telegram session data, cryptocurrency wallet files, and configuration files for VPN and RDP services.

These credentials enable lateral movement and persistent access within victim networks, often without raising immediate alarms.

The sophistication of Lumma Infostealer’s infection mechanism underscores the necessity for continuous monitoring of process injection events, routine auditing of installer behaviors, and enforcement of application allowlisting policies.

Implementing network-level blocks for known C2 domains and employing sandbox detonation for suspicious NSIS packages can further mitigate the threat posed by this stealthy and adaptable infostealer.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Lumma Infostealer Malware Attacks Users to Steal Browser Cookies, Cryptocurrency Wallets and VPN/RDP Accounts appeared first on Cyber Security News.

When users authenticate to Microsoft cloud services, their activities generate authentication events recorded across multiple logging systems.

Microsoft Entra sign-in logs and Microsoft 365 audit logs capture identical authentication events but represent this critical security data using different formats.

Security analysts investigating incidents frequently encounter the UserAuthenticationMethod field in Microsoft 365 sign-in events, which displays cryptic numeric values such as 16, 272, or 33554432 without official documentation from Microsoft explaining their meaning.

This undocumented field has posed challenges for security teams attempting to analyze authentication patterns, identify suspicious login activities, or assess phishing-resistant authentication adoption.

The lack of documentation meant incident responders working in environments where only Microsoft 365 audit logs were available struggled to understand what authentication methods users employed during sign-in events.

Through systematic correlation analysis between Microsoft Entra sign-in logs and Microsoft 365 audit logs, Sekoia analysts discovered that the UserAuthenticationMethod field operates as a bitfield where each bit position represents a distinct authentication method.

This breakthrough enables security professionals to decode these numeric values into human-readable authentication method descriptions.

The research team mapped each bit position to specific authentication methods by leveraging shared correlation identifiers between the logging systems.

Microsoft 365 audit logs contain an InterSystemsId field while Entra ID logs include a correlationId field, both referencing identical authentication events.

By matching events across sources, researchers correlated numeric UserAuthenticationMethod values with detailed authentication method descriptions found in Entra ID’s authenticationMethodDetail fields.

Decoding the Bitfield Mapping Technique

The bitfield structure allows multiple authentication methods to appear simultaneously in one numeric value.

For instance, value 272 converts to binary as 100010000, activating bit 4 representing Password Hash Sync (decimal value 16) and bit 8 representing via Staged Rollout (decimal value 256), indicating “Password Hash Sync via Staged Rollout” as the authentication mechanism.

The mapping encompasses 28 documented bit positions, including Password in the cloud at bit 0 (decimal 1), Temporary Access Pass at bit 1, Seamless SSO at bit 2, Windows Hello for Business at bit 18 (decimal 262144), and Passkey at bit 25 (decimal 33554432).

However, several bits remain unmapped including positions 5, 7, 9-17, 22, and 26.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Decoding Microsoft 365 Audit Log Events Using Bitfield Mapping Technique – Investigation Report appeared first on Cyber Security News.