Ethical Hacking News
Phantom Taurus, a Beijing-backed gang of burglars, has been linked to sophisticated web server attacks using custom malware. The group's novel approach utilizes .NET architecture to target Internet Information Services (IIS) web servers, making it challenging for security professionals to detect. With its apparent interest in targeting diplomatic communications and defense-related intelligence, Phantom Taurus represents a significant threat to internet-facing servers.
Palo Alto Networks' Unit 42 has identified a new gang of burglars backed by China, dubbed "Phantom Taurus". The group's initial focus was on targeting email systems, but it soon expanded to databases using stolen credentials. Phantom Taurus uses existing infrastructure linked to other China-backed gangs, including Iron Taurus and Starchy Taurus. The gang has developed a custom malware suite called "NET-STAR" that targets Internet Information Services (IIS) web servers. NET-STAR consists of three primary backdoors with evasion capabilities, making it challenging to detect. Phantom Taurus is targeting diplomatic communications, defense-related intelligence, and governmental ministries.
In a recent development that sheds light on the growing concern of state-sponsored cyber threats, researchers at Palo Alto Networks' Unit 42 have identified a new gang of burglars backed by China. The group, dubbed "Phantom Taurus," has been linked to various malicious activities across Asia, Africa, and the Middle East.
According to Unit 42's report, Phantom Taurus first gained notoriety in 2022 after the researchers observed its unusual tactics, techniques, and procedures (TTPs). The gang's initial focus was on targeting email systems, but it soon expanded its reach to databases by utilizing stolen credentials. Notably, Phantom Taurus leveraged existing infrastructure used by other China-linked gangs, including Iron Taurus (aka APT27), Starchy Taurus (aka Winnti), and Stately Taurus (aka Mustang Panda).
However, what sets Phantom Taurus apart from its predecessors is its novel approach to web server attacks. The gang has developed a custom malware suite called "NET-STAR," which utilizes .NET architecture to target Internet Information Services (IIS) web servers. This advanced attack method demonstrates the group's sophisticated understanding of .NET architecture and its ability to evade traditional security measures.
NET-STAR consists of three primary backdoors: IServerCore, AssemblyExecuter V1, and AssemblyExecuter V2. The first two variants employ a fileless modular approach, allowing for in-memory execution of command-line arguments, arbitrary commands, and payloads. These components are designed to bypass traditional antivirus engines and security software.
Notably, the third variant, AssemblyExecuter V2, incorporates Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) bypass capabilities, making it particularly challenging for researchers to detect. This suggests that Phantom Taurus is indeed attempting to create a sense of confusion among infosec professionals, with the ultimate goal of staying one step ahead of their adversaries.
Unit 42's investigation into Phantom Taurus has revealed several key indicators of compromise (IoCs). These include specific SHA256 hashes for the three backdoors and the gang's apparent interest in targeting diplomatic communications, defense-related intelligence, and governmental ministries. The researchers have also noted that Phantom Taurus often coincides with major global events and regional security affairs.
While China has consistently denied backing attack gangs, the evidence suggests otherwise. Palo Alto Networks' report serves as a stark reminder of the ongoing threat landscape and the need for increased vigilance among governments, organizations, and individuals alike. As researchers continue to uncover new details about Phantom Taurus and its activities, it is essential that we prioritize collaboration, intelligence sharing, and proactive defense strategies to counter these emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Evidence-Emerges-Beijing-Backed-Burglars-Use-Custom-Malware-to-Target-Government-Web-Servers-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/10/01/phantom_taurus_apt/
Published: Tue Sep 30 22:29:23 2025 by llama3.2 3B Q4_K_M
