Phantom Taurus: New Chinese APT Targets Governments with Malware

Phantom Taurus Chinese APT cybersecurity threats advanced persistent threat espionage operations
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
October 2, 2025 3 min read

Phantom Taurus Overview

Phantom Taurus is a newly identified Chinese advanced persistent threat (APT) group that has been operational for over two and a half years, primarily targeting government and telecommunications organizations across Africa, the Middle East, and Asia. The group's espionage operations align closely with the strategic interests of the People's Republic of China (PRC).

The primary focus areas of Phantom Taurus include ministries of foreign affairs, embassies, and military operations. According to researcher Lior Rochberger, "The group's primary objective is espionage. Its attacks demonstrate stealth, persistence, and an ability to quickly adapt their tactics, techniques, and procedures (TTPs)" source.

Evolution of Phantom Taurus

Palo Alto Networks first tracked Phantom Taurus as activity cluster CL-STA-0043 in June 2023. By May 2024, it was designated TGR-STA-0043 and given the campaign codename Operation Diplomatic Specter. Recent investigations have revealed sufficient evidence to classify the group as an independent threat actor focused on long-term intelligence collection source.

Evolution Timeline
The group's operations often coincide with major geopolitical events, and the timing and scope of their attacks reflect their alignment with PRC's economic and political interests.

Technical Analysis and Tactics

Targeting and Attack Techniques

Phantom Taurus primarily conducts long-term intelligence operations against high-value targets to acquire sensitive, non-public data. The group's shift from exfiltrating emails to directly targeting SQL Server databases marks a significant tactical evolution. Utilizing a batch script named mssq.bat, the group connects to databases, executes queries, and exports results to CSV files source.

The mssq.bat script operates as follows:

  1. Authenticates to the SQL Server using the system administrator account.
  2. Dynamically executes queries to search for specific keywords.
  3. Exports the results to CSV files before closing the connection.

Execution Diagram
This approach demonstrates the group’s reliance on living-off-the-land (LotL) techniques to evade detection.

Custom Malware: NET-STAR

One of the most alarming developments is the introduction of a bespoke malware suite named NET-STAR, which targets Internet Information Services (IIS) web servers. This .NET malware suite is designed for stealthy operations and advanced evasion techniques source.

NET-STAR includes three main components:

  1. IIServerCore: A fileless modular backdoor that operates in memory, allowing execution of commands and payloads without leaving traces on disk.
  2. AssemblyExecuter V1: A version that loads and executes other .NET assemblies directly in memory.
  3. AssemblyExecuter V2: An enhanced variant that includes capabilities to bypass Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) source.

!IIServerCore Execution Flow

Conclusion on Threat Landscape

Phantom Taurus represents a significant threat to organizations across various sectors due to its advanced capabilities and clear alignment with state-sponsored espionage activities. The combination of targeted tactics, bespoke malware, and operational compartmentalization makes this group a formidable adversary in the cyber threat landscape.

For further information on Phantom Taurus and its tactics, check out the following links:

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

React2Shell Vulnerability CVE-2025-55182: Exploitation Threats and Trends
React2Shell vulnerability

React2Shell Vulnerability CVE-2025-55182: Exploitation Threats and Trends

Critical React2Shell RCE vulnerability exploited by threat actors. Learn about attacker techniques, observed payloads like crypto miners, and how to protect your systems. Read now!

By Divyansh Ingle December 12, 2025 8 min read
Read full article
WinRAR CVE-2025-6218 Vulnerability Under Active Attack by Threat Groups
WinRAR vulnerability

WinRAR CVE-2025-6218 Vulnerability Under Active Attack by Threat Groups

CISA flags WinRAR CVE-2025-6218 as actively exploited. Learn about this path traversal flaw and how to protect your systems. Update now!

By Jim Gagnard December 11, 2025 3 min read
Read full article
Malicious VSCode Extensions Launch Multi-Stage Attacks and Infostealers
malicious VSCode extensions

Malicious VSCode Extensions Launch Multi-Stage Attacks and Infostealers

Beware of malicious VSCode extensions & device code phishing scams. Learn how these attacks steal credentials, capture screens, and hijack sessions. Protect yourself now!

By Alan V Gutnov December 10, 2025 6 min read
Read full article
PRC State-Sponsored BRICKSTORM Malware Targets Critical Infrastructure
BRICKSTORM malware

PRC State-Sponsored BRICKSTORM Malware Targets Critical Infrastructure

Discover how PRC state actors are using BRICKSTORM malware to gain persistent access via VMware. Learn about its advanced evasion techniques and how to defend your systems. Read now!

By Divyansh Ingle December 9, 2025 3 min read
Read full article