Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Unveiling Phantom Taurus: China's Stealthy APT Threatening Global Cybersecurity



A previously undocumented Chinese APT group, Phantom Taurus, has been using the Net-Star malware suite to conduct espionage campaigns against key sectors, including government organizations and telecommunications companies. With its unique tactics and custom tools, this threat is serious and highlights the increasing sophistication of China's cyber espionage capabilities.

  • Phantom Taurus, a Chinese Advanced Persistent Threat (APT) group, has been identified as a new threat actor.
  • The group is utilizing the Net-Star malware suite to conduct espionage campaigns against key sectors, including government organizations and telecommunications companies.
  • The Net-Star malware suite includes tools like ISServerCore and AssemblyExecuter V2, which allow for fileless backdoors, encrypted sessions, and AMSI evasion.
  • Phantom Taurus has been active for over two years, targeting entities in Africa, the Middle East, and Asia, with a focus on foreign ministries and military operations.



    • Phantom Taurus, a previously undocumented Chinese Advanced Persistent Threat (APT) group, has been making waves in the cybersecurity community for its sophisticated and stealthy tactics. According to recent research by Palo Alto Networks, Phantom Taurus has been utilizing the Net-Star malware suite to conduct espionage campaigns against key sectors, including government organizations and telecommunications companies.

    The Net-Star malware suite is a collection of tools designed to compromise internet-facing servers, specifically targeting IIS web servers. The primary component of this suite is ISServerCore, a fileless, modular backdoor that loads payloads into memory. This allows the attackers to establish encrypted AES C2 sessions, track state via cookies, and dynamically load .NET assemblies from Base64. Additionally, the malware supports file I/O, database queries, arbitrary code execution, web-shell management, and AMSI evasion, making it a formidable tool for cyber espionage.

    Another component of the Net-Star suite is AssemblyExecuter V1, which loads and executes additional .NET payloads in memory. This loader is designed to run in heavily monitored environments, allowing Phantom Taurus to bypass AMSI (Advanced Threat Protection) systems and ETW (Event Tracing for Windows). The most advanced loader in this suite is AssemblyExecuter V2, which not only executes payloads but also bypasses AMSI and ETW.

    The deployment of the Net-Star malware has been found in PDB paths and Base64 data, linking it to Phantom Taurus. This marks a significant escalation in the group's tactics, as they have shifted from stealing sensitive emails to directly targeting databases. The attackers have used a script, mssq.bat, to connect to SQL Server databases with compromised credentials, execute queries, export results to CSV, and close connections.

    Phantom Taurus has been active for over two years, targeting entities in Africa, the Middle East, and Asia. Their campaigns have focused on foreign ministries, embassies, geopolitical events, and military operations. The group's unique tactics, including the use of custom tools like Specter and Ntospy, set it apart from other Chinese APTs.

    The researchers at Palo Alto Networks have confirmed that Phantom Taurus represents a new, separate threat actor aligned with Chinese strategic intelligence priorities. This finding is significant, as it highlights the increasing sophistication and reach of China's cyber espionage capabilities.

    In conclusion, Phantom Taurus is a formidable APT group that has been utilizing the Net-Star malware suite to conduct stealthy espionage campaigns against key sectors. Its unique tactics and custom tools make it a serious threat to global cybersecurity. As the threat landscape continues to evolve, it is essential for organizations to stay vigilant and take proactive measures to protect themselves against such sophisticated threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Unveiling-Phantom-Taurus-Chinas-Stealthy-APT-Threatening-Global-Cybersecurity-ehn.shtml

  • https://securityaffairs.com/182852/apt/china-linked-apt-phantom-taurus-uses-net-star-malware-in-espionage-campaigns-against-key-sectors.html

  • https://cybersecsentinel.com/net-star-backdoor-exploits-iis-modules-for-persistent-access/

  • https://www.securityweek.com/chinese-apt-phantom-taurus-targeting-organizations-with-net-star-malware/

  • https://www.theregister.com/2025/10/01/phantom_taurus_apt/?td=rt-3a

  • https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)

  • https://www.cloudflare.com/learning/security/threats/meltdown-spectre/

  • https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/

  • https://malpedia.caad.fkie.fraunhofer.de/details/win.ntospy

  • https://thehackernews.com/2025/09/phantom-taurus-new-china-linked-hacker.html

  • https://www.csoonline.com/article/4066651/chinese-apt-group-phantom-taurus-targets-gov-and-telecom-organizations.html


    • Published: Thu Oct 2 03:40:24 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us