Find notable cyber news and cases, enriched with sources, timelines, and signals.

Neursite and NeuralExecutor implant deployment on Windows Server

Malware Activity
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

A 2024-2025 malware deployment wave delivered Neursite and NeuralExecutor to Windows Server targets, expanding backdoor access and payload execution capability. The implants were staged through DLL loaders in System32 after an ASPX web shell attempt failed. NeuralExecutor can fetch and run additional .NET payloads over TCP, HTTP/HTTPS, named pipes, or WebSockets. Neursite adds C2 communications, process control, traffic proxying, and plugin-based execution on compromised servers.

Related Happenings

Major web servers HTTP/2 Bomb remote DoS denial-of-service flaw

Vulnerability
H score39 First: 03.06.2026 11:33 Last: 03.06.2026 11:33 Sources 1

About this happening: Researchers disclosed **HTTP/2 Bomb**, a **remote denial-of-service** vulnerability in **default HTTP/2 configurations** that can make **NGINX, Apache HTTPD, Microsoft IIS, Envoy,...

DEEP#DOOR Python backdoor framework

Malware Activity
H score28 First: 30.04.2026 15:36 Last: 30.04.2026 15:36 Sources 1

About this happening: **DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...

DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT

Campaign
H score33 First: 04.02.2026 19:24 Last: 04.02.2026 19:24 Sources 1

About this happening: The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...

PeckBirdy JScript C2 framework used across multiple environments since 2023

Malware Activity
H score21 First: 27.01.2026 11:01 Last: 27.01.2026 11:01 Sources 1

About this happening: Since **2023**, the **PeckBirdy** **JScript-based C2 framework** has been used by **China-aligned APT actors** to reach **multiple environments**, giving them flexible delivery an...

SHADOW#REACTOR Remcos RAT delivery chain

Malware Activity
H score23 First: 13.01.2026 18:00 Last: 13.01.2026 18:00 Sources 1

About this happening: Researchers analyzed **SHADOW#REACTOR**, a **multi-stage Windows malware campaign** that uses **script-based staging** and in-memory loaders to quietly deliver **Remcos RAT**, inc...

Timeline

  1. 22.10.2025 11:58 2 articles · 8mo ago

    PassiveNeuron campaign and Windows Server implant deployment

    Technical Analysis Update

    A campaign targeting government, financial, and industrial organizations in Asia, Africa, and Latin America used compromised Windows Server hosts, and in at least one incident the operators gained initial remote command execution through Microsoft SQL before an attempted ASPX web shell drop failed and DLL loaders in System32 delivered Neursite, NeuralExecutor, and Cobalt Strike. Neursite is a bespoke C++ modular backdoor that connects to C2 over TCP, SSL, HTTP, and HTTPS, supports system information gathering, process management, traffic proxying, and auxiliary plugins for shell command execution, file system management, and TCP socket operations. NeuralExecutor is a bespoke .NET implant that downloads and executes additional .NET payloads over TCP, HTTP/HTTPS, named pipes, or WebSockets, with 2025 artifacts using a GitHub dead drop resolver to obtain C2 addresses.

    Show sources