Phantom Taurus: New Chinese APT Targets Governments with Malware

Phantom Taurus Chinese APT cybersecurity threats advanced persistent threat espionage operations
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
October 2, 2025 3 min read

Phantom Taurus Overview

Phantom Taurus is a newly identified Chinese advanced persistent threat (APT) group that has been operational for over two and a half years, primarily targeting government and telecommunications organizations across Africa, the Middle East, and Asia. The group's espionage operations align closely with the strategic interests of the People's Republic of China (PRC).

The primary focus areas of Phantom Taurus include ministries of foreign affairs, embassies, and military operations. According to researcher Lior Rochberger, "The group's primary objective is espionage. Its attacks demonstrate stealth, persistence, and an ability to quickly adapt their tactics, techniques, and procedures (TTPs)" source.

Evolution of Phantom Taurus

Palo Alto Networks first tracked Phantom Taurus as activity cluster CL-STA-0043 in June 2023. By May 2024, it was designated TGR-STA-0043 and given the campaign codename Operation Diplomatic Specter. Recent investigations have revealed sufficient evidence to classify the group as an independent threat actor focused on long-term intelligence collection source.

Evolution Timeline

The group's operations often coincide with major geopolitical events, and the timing and scope of their attacks reflect their alignment with PRC's economic and political interests.

Technical Analysis and Tactics

Targeting and Attack Techniques

Phantom Taurus primarily conducts long-term intelligence operations against high-value targets to acquire sensitive, non-public data. The group's shift from exfiltrating emails to directly targeting SQL Server databases marks a significant tactical evolution. Utilizing a batch script named mssq.bat, the group connects to databases, executes queries, and exports results to CSV files source.

The mssq.bat script operates as follows:

  1. Authenticates to the SQL Server using the system administrator account.
  2. Dynamically executes queries to search for specific keywords.
  3. Exports the results to CSV files before closing the connection.

Execution Diagram

This approach demonstrates the group’s reliance on living-off-the-land (LotL) techniques to evade detection.

Custom Malware: NET-STAR

One of the most alarming developments is the introduction of a bespoke malware suite named NET-STAR, which targets Internet Information Services (IIS) web servers. This .NET malware suite is designed for stealthy operations and advanced evasion techniques source.

NET-STAR includes three main components:

  1. IIServerCore: A fileless modular backdoor that operates in memory, allowing execution of commands and payloads without leaving traces on disk.
  2. AssemblyExecuter V1: A version that loads and executes other .NET assemblies directly in memory.
  3. AssemblyExecuter V2: An enhanced variant that includes capabilities to bypass Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) source.

!IIServerCore Execution Flow

Conclusion on Threat Landscape

Phantom Taurus represents a significant threat to organizations across various sectors due to its advanced capabilities and clear alignment with state-sponsored espionage activities. The combination of targeted tactics, bespoke malware, and operational compartmentalization makes this group a formidable adversary in the cyber threat landscape.

For further information on Phantom Taurus and its tactics, check out the following links:

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview
OpenSSL vulnerability

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview

Urgent: OpenSSL 3.x vulnerable to CVE-2025-15467, enabling pre-auth RCE. Learn affected versions, impact, and immediate mitigation steps. Protect your systems now!

By Divyansh Ingle March 10, 2026 4 min read
common.read_full_article
SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now
SolarWinds Web Help Desk

SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now

Critical RCE & Auth Bypass flaws in SolarWinds Web Help Desk are fixed! Don't risk it. Update to v2026.1 now to protect your systems. Learn more.

By Edward Zhou March 9, 2026 4 min read
common.read_full_article
AI vs Human Hackers: Who Prevails in 2026 Pen Testing?
AI hacking

AI vs Human Hackers: Who Prevails in 2026 Pen Testing?

Discover the results of a groundbreaking study comparing AI agents and human hackers in web vulnerability exploitation. See who prevails and what it means for your security. Read now!

By Jim Gagnard March 6, 2026 6 min read
common.read_full_article
Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends
vulnerability exploits

Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends

Exploits are now the top intrusion method, outpacing phishing. Discover why rapid vulnerability patching is critical and how to bolster your defenses. Read more!

By Edward Zhou March 4, 2026 4 min read
common.read_full_article