Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Neursite and NeuralExecutor implant deployment on Windows Server

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

A 2024-2025 malware deployment wave delivered Neursite and NeuralExecutor to Windows Server targets, expanding backdoor access and payload execution capability. The implants were staged through DLL loaders in System32 after an ASPX web shell attempt failed. NeuralExecutor can fetch and run additional .NET payloads over TCP, HTTP/HTTPS, named pipes, or WebSockets. Neursite adds C2 communications, process control, traffic proxying, and plugin-based execution on compromised servers.

Related Happenings

DEEP#DOOR Python backdoor framework

Malware Activity
First: 30.04.2026 15:36 Last: 30.04.2026 15:36 Sources 1

About this happening: **DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...

Open Happening

DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT

Campaign
First: 04.02.2026 19:24 Last: 04.02.2026 19:24 Sources 1

About this happening: The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...

Open Happening

PeckBirdy JScript C2 framework used across multiple environments since 2023

Malware Activity
First: 27.01.2026 11:01 Last: 27.01.2026 11:01 Sources 1

About this happening: Since **2023**, the **PeckBirdy** **JScript-based C2 framework** has been used by **China-aligned APT actors** to reach **multiple environments**, giving them flexible delivery an...

Open Happening

SHADOW#REACTOR Remcos RAT delivery chain

Malware Activity
First: 13.01.2026 18:00 Last: 13.01.2026 18:00 Sources 1

About this happening: Researchers analyzed **SHADOW#REACTOR**, a **multi-stage Windows malware campaign** that uses **script-based staging** and in-memory loaders to quietly deliver **Remcos RAT**, inc...

Open Happening

RustyWater RAT adds asynchronous C2 and Windows Registry persistence

Malware Activity
First: 10.01.2026 12:35 Last: 10.01.2026 12:35 Sources 1

About this happening: **RustyWater** is being used as a **Rust-based RAT implant** that can profile victims, maintain **Windows Registry** persistence, and execute commands on **Windows** systems. The...

Open Happening

Timeline

  1. 22.10.2025 11:58 2 articles · 7mo ago

    PassiveNeuron campaign and Windows Server implant deployment

    Technical Analysis Update

    A campaign targeting government, financial, and industrial organizations in Asia, Africa, and Latin America used compromised Windows Server hosts, and in at least one incident the operators gained initial remote command execution through Microsoft SQL before an attempted ASPX web shell drop failed and DLL loaders in System32 delivered Neursite, NeuralExecutor, and Cobalt Strike. Neursite is a bespoke C++ modular backdoor that connects to C2 over TCP, SSL, HTTP, and HTTPS, supports system information gathering, process management, traffic proxying, and auxiliary plugins for shell command execution, file system management, and TCP socket operations. NeuralExecutor is a bespoke .NET implant that downloads and executes additional .NET payloads over TCP, HTTP/HTTPS, named pipes, or WebSockets, with 2025 artifacts using a GitHub dead drop resolver to obtain C2 addresses.

    Show sources
    Open in new tab