Cybersecurity researchers have identified a previously undocumented state-sponsored Chinese hacking group called Phantom Taurus.
A new report from Palo Alto Networks’ Unit 42 threat intelligence team outlines a multi-year investigation into Phantom Taurus, revealing a campaign that has targeted government entities and telecommunications providers across the Middle East, Africa, and Asia.
The group’s primary mission is cyberespionage, focusing on exfiltrating sensitive non-public information from high-value targets. Over the past two and a half years, Unit 42 has observed Phantom Taurus concentrating on ministries of foreign affairs, embassies, and military organizations, often timing intrusions to coincide with regional geopolitical events.
The formal designation of Phantom Taurus follows a careful and extended tracking effort that began in 2022. Initially logged as a cluster under the reference CLA-STA-0043, the activity was promoted in May 2024 to a temporary group labeled TGR-STA-0043 and nicknamed Operation Diplomatic Specter. Continued monitoring and the accumulation of evidence led to its formal classification as a distinct threat actor in 2025.
“This rare level of insight reflects the depth and duration of our investigation,” the report states, emphasizing that long-term monitoring provides a clearer view of an adversary’s evolution and strategic intent.
What sets Phantom Taurus apart from other Chinese advanced persistent threat (APT) groups is its particular combination of tactics, techniques, and procedures (TTPs). Although the group leverages shared operational infrastructure also used by actors such as Iron Taurus (APT27) and Stately Taurus (Mustang Panda), it maintains operational compartmentalization by employing unique components not seen in other campaigns. Their toolkit mixes common tools like China Chopper and Impacket with bespoke malware, enabling covert operations and persistent access to compromised networks.
Since early 2025, Unit 42 has observed a shift in the group’s data collection methods. Whereas Phantom Taurus previously focused on stealing selected emails from compromised servers, it has increasingly targeted databases directly. Researchers documented the use of a custom script named mssq.bat to connect to SQL servers and run dynamic queries, allowing attackers to locate specific documents and intelligence related to countries such as Afghanistan and Pakistan.
A notable discovery is a previously undocumented custom malware suite named NET-STAR. This .NET-based toolset, designed to compromise Internet Information Services (IIS) web servers, represents a significant advance in the actor’s capabilities. The NET-STAR name was derived from strings found in program database (PDB) paths within the malware.
The NET-STAR suite showcases Phantom Taurus’ sophisticated evasion techniques and deep knowledge of .NET internals, posing a serious risk to internet-facing servers. It comprises three primary web-based backdoors. The principal component, IIServerCore, is a fileless, modular backdoor that runs entirely in the memory of the IIS worker process, making detection especially difficult.
IIServerCore is initially deployed by an ASPX web shell and can receive and execute additional payloads, manage other web shells, access databases, and perform file system operations while communicating over encrypted channels. To further hinder forensic analysis, Phantom Taurus has used timestomping—altering file timestamps to match legitimate system files.
The NET-STAR suite also includes two versions of a loader called AssemblyExecuter. The original version executed .NET assemblies in memory, while a newer iteration added advanced evasion features. The upgraded loader is capable of bypassing key Windows security mechanisms—specifically the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW)—enabling it to remain undetected in more secure environments.
The prolonged investigation and subsequent classification of Phantom Taurus underscore how adaptable and persistent modern state-sponsored threats have become. Unit 42 reports it has shared its findings with members of the Cyber Threat Alliance to help organizations strengthen their defenses.
See also: Tim Berners-Lee: The web is no longer open and free
Interested in learning more about cybersecurity from industry leaders? Consider the Cyber Security & Cloud Expo, which runs in Amsterdam, California, and London. The event is part of TechEx and is co-located with other leading technology conferences.
Telecoms is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars from TechForge Media.