Phantom Taurus: How Hackers Created an Invisible Network Inside Government Servers Across Three Continents
The group's tactics suggest a close alignment with specific global geopolitical events.
The group's tactics suggest a close alignment with specific global geopolitical events.
The new China-linked cyber-espionage group Phantom Taurus has been attacking government entities and telecommunications companies in Africa, the Middle East, and Asia for the past two and a half years. According to Palo Alto Networks' Unit 42, the threat actors are primarily interested in ministries of foreign affairs, embassies, military operations, and diplomatic correspondence. The main goal of the attacks is to collect confidential information for long-term intelligence gathering in China's interests.
Unit 42 first detected this group's activity in 2023 under the temporary designation CL-STA-0043. Later, in 2024, the operations were consolidated into the "Operation Diplomatic Specter" campaign, after which researchers identified Phantom Taurus as a distinct actor. The attacks coincided with international crises and regional conflicts, indicating a close link to the geopolitical agenda.
A distinctive feature of Phantom Taurus is the use of its own malicious platform called NET-STAR, written in .NET and designed to compromise IIS servers. The toolkit includes three web backdoors:
- IIServerCore: Provides direct in-memory command execution and data exfiltration over an encrypted channel.
- AssemblyExecuter V1: Used for loading additional .NET components.
- AssemblyExecuter V2: Enhanced with AMSI and ETW bypass capabilities.
To gain initial access, Phantom Taurus exploited vulnerabilities in Microsoft Exchange and IIS, specifically ProxyLogon and ProxyShell. Experts do not rule out that the group may shift to new compromise methods in the future, as its members demonstrate flexibility and an ability to adapt to defensive measures.
In some cases, the attacks escalated from collecting correspondence to directly extracting the contents of databases. For this, a batch script was used, allowing connection to SQL Server, exporting results in CSV format, and terminating the connection; it was executed via WMI infrastructure.
Notably, Phantom Taurus's infrastructure partially overlaps with resources previously used by the groups AT27 (Iron Taurus), APT41 (Starchy Taurus, Winnti), and Mustang Panda (Stately Taurus). However, a strict isolation of some components is also observed, indicating a division of responsibilities within the Chinese cyber-espionage community.
Researchers note that the threat actors show particular interest in documents related to Afghanistan and Pakistan, as well as defense-related information. This selectivity and alignment with key international events echo the practices of other Chinese groups, such as RedNovember, which targeted entities in Taiwan and Panama during periods of political and military tension.
The functionality of NET-STAR and Phantom Taurus's tactics demonstrate a high level of sophistication and a drive for long-term persistence within compromised systems. The combination of unique tools with proven vulnerabilities makes the group a serious threat to government bodies and critical infrastructure in strategically important regions.
