Phantom Taurus: New Chinese APT Emerges with Fileless NET-STAR Backdoor Targeting Global Governments and Telecoms
A newly identified cyber-espionage group, Phantom Taurus, linked to China, has spent the past two and a half years striking government bodies and telecommunications firms across Africa, the Middle East, and Asia. According to Palo Alto Networks Unit 42, the actors focused their attention on foreign ministries, embassies, military operations, and diplomatic correspondence, with the primary objective of harvesting sensitive intelligence for long-term strategic purposes.
Unit 42 first observed activity attributed to this cluster in 2023 under the provisional label CL-STA-0043. In 2024 the operations were aggregated under the campaign Operation Diplomatic Specter, after which researchers separated Phantom Taurus as a distinct actor. The timing of many intrusions coincided with international crises and regional conflicts, suggesting close alignment with geopolitical priorities.
A hallmark of Phantom Taurus is its proprietary malware platform, NET-STAR, developed in .NET and tailored to compromise IIS servers. The toolkit comprises three web backdoors: IIServerCore, which executes commands entirely in memory and exfiltrates data over encrypted channels; AssemblyExecuter V1, for loading additional .NET modules; and AssemblyExecuter V2, which adds evasions for AMSI and ETW. IIServerCore also includes a timestomping capability to hinder forensic analysis and complicate digital investigations.
For initial access, Phantom Taurus has exploited vulnerabilities in Microsoft Exchange and IIS—most notably ProxyLogon and ProxyShell—and researchers warn the group is likely to pivot to new compromise techniques as defenses evolve, demonstrating operational agility.
In several incidents the intrusions progressed from intercepting correspondence to directly extracting database contents. Operators employed batch scripts to connect to SQL Server, dump query results to CSV files, and terminate connections—activities orchestrated via WMI infrastructure.
Intriguingly, portions of Phantom Taurus’s infrastructure partially overlap with resources previously associated with other Chinese-linked clusters such as AT27 (Iron Taurus), APT41 (Starchy Taurus / Winnti), and Mustang Panda (Stately Taurus). At the same time, clear isolation of certain components suggests compartmentalization and delineated responsibilities within the broader Chinese espionage ecosystem.
Analysts note a pronounced interest in documents related to Afghanistan and Pakistan, as well as defense-related material. This selective targeting and the campaigns’ synchronicity with major international events echo patterns seen in other Chinese groups—such as RedNovember, which struck entities in Taiwan and Panama during periods of political and military tension.
The capabilities of NET-STAR and Phantom Taurus’s tactics reflect a high degree of tradecraft and an orientation toward long-term persistence. The combination of bespoke tools and exploitation of well-known vulnerabilities renders the group a serious threat to government agencies and critical infrastructure in strategically sensitive regions.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
