Ethical Hacking News
Phantom Taurus, a previously undocumented China-aligned nation-state actor, has been leaving a trail of stealth malware and espionage operations across governments and telecommunications organizations in Africa, the Middle East, and Asia. This group's ability to infiltrate networks using custom-developed tools and techniques makes them a significant threat to national security.
Phantom Taurus, a China-aligned nation-state actor, has been conducting cyber espionage efforts in Africa, the Middle East, and Asia since late 2022.The group's primary objective is espionage, using stealthy hacking tactics to infiltrate networks.Phantom Taurus uses custom-developed tools, including NET-STAR malware, to target Internet Information Services (IIS) web servers.The group exploits vulnerabilities in IIS and Microsoft Exchange servers to gain initial access to networks.NET-STAR consists of three web-based backdoors with specific functions, each maintaining access to the compromised IIS environment.Phantom Taurus' attacks demonstrate advanced evasion techniques and a deep understanding of .NET architecture, posing a significant threat to internet-facing servers.
Phantom Taurus, a previously undocumented China-aligned nation-state actor, has been wreaking havoc on governments and telecommunications organizations across Africa, the Middle East, and Asia over the past two-and-a-half years. This group, dubbed CL-STA-0043 in June 2023, was later upgraded to TGR-STA-0043 in May of this year, following a series of sustained cyber espionage efforts aimed at governmental entities since late 2022 as part of a campaign codenamed Operation Diplomatic Specter.
According to Unit 42, a cybersecurity company that has been tracking the group's activities, Phantom Taurus' primary objective is espionage. The group's attacks demonstrate stealth, persistence, and an ability to quickly adapt their tactics, techniques, and procedures (TTPs). In other words, they are masters of the art of stealthy hacking.
The group's modus operandi stands out due to the use of custom-developed tools and techniques rarely observed in the threat landscape. This includes a never-before-seen bespoke malware suite dubbed NET-STAR, which is designed to target Internet Information Services (IIS) web servers. Developed in .NET, this program is capable of evading traditional security measures and exploiting vulnerabilities in IIS.
One of the most significant aspects of Phantom Taurus' attacks is their ability to infiltrate target networks using vulnerable on-premises Internet Information Services (IIS) and Microsoft Exchange servers. These servers have been exploited by the group, abusing flaws like ProxyLogon and ProxyShell, to gain initial access to the network.
Another notable aspect of the group's tactics is their shift from gathering emails to directly targeting databases using a batch script that allows them to connect to an SQL Server database, export the results in the form of a CSV file, and terminate the connection. This method enables the group to systematically search for documents of interest and information related to specific countries such as Afghanistan and Pakistan.
Recent attacks mounted by Phantom Taurus have also leveraged NET-STAR, which consists of three web-based backdoors, each performing a specific function while maintaining access to the compromised IIS environment. These backdoors include:
IIServerCore, a fileless modular backdoor loaded by means of an ASPX web shell that supports in-memory execution of command-line arguments, arbitrary commands, and payloads, and transmits the results in an encrypted command-and-control (C2) communication channel.
AssemblyExecuter V1, which loads and executes additional .NET payloads in memory.
AssemblyExecuter V2, an enhanced version of AssemblyExecuter V1 that also comes fitted with the ability to bypass Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW).
According to Unit 42, the NET-STAR malware suite demonstrates Phantom Taurus' advanced evasion techniques and a deep understanding of .NET architecture, representing a significant threat to internet-facing servers. IIServerCore also supports a command called changeLastModified, which suggests that the malware has active timestomping capabilities, designed to confuse security analysts and digital forensics tools.
The exact initial access vector used by Phantom Taurus is not clear, but prior intrusions have relied on shared operational infrastructure that has been previously employed by groups like AT27 (aka Iron Taurus), APT41 (aka Starchy Taurus or Winnti), and Mustang Panda (aka Stately Taurus). Conversely, the infrastructure components used by the threat actor have not been detected in operations carried out by others, indicating some sort of "operational compartmentalization" within the shared ecosystem.
Phantom Taurus' attacks are a significant concern for governments and telecommunications organizations across Africa, the Middle East, and Asia. The group's ability to infiltrate networks using stealthy tactics and evade traditional security measures makes them a formidable threat to national security.
In light of this new information, it is clear that Phantom Taurus is a significant player in the world of cyber espionage. Their use of custom-developed tools and techniques, combined with their ability to adapt and evolve, make them a force to be reckoned with.
Related Information:
https://www.ethicalhackingnews.com/articles/New-China-Linked-Hacker-Group-Leaves-Trail-of-Stealth-Malware-and-Espionage-Operations-ehn.shtml
https://thehackernews.com/2025/09/phantom-taurus-new-china-linked-hacker.html
https://www.telecomstechnews.com/news/chinese-hacking-group-phantom-taurus-targets-governments/
https://attack.mitre.org/groups/G0096/
https://www.fbi.gov/wanted/cyber/apt-41-group
https://www.cyware.com/resources/threat-briefings/research-and-analysis/apt27-an-in-depth-analysis-of-a-decade-old-active-chinese-threat-group-e4cc
https://www.dexpose.io/threat-actor-profile-apt27/
https://attack.mitre.org/groups/G0129/
Published: Tue Sep 30 13:22:58 2025 by llama3.2 3B Q4_K_M
