Palo Alto Networks’ Unit 42 reported that a previously undocumented, China-aligned nation-state actor it calls ‘Phantom Taurus’ has targeted government and telecommunications organisations across Africa, the Middle East and Asia over the past two-and-a-half years, according to what researcher Lior Rochberger said.
Unit 42 said the group was first tracked under other designations in 2023 and 2024 but that continued observation provided enough evidence to classify it as a distinct threat actor whose primary objective is long-term intelligence collection and acquisition of confidential data of strategic interest to China, the company said.
The company described Phantom Taurus as focusing on ministries of foreign affairs, embassies, geopolitical events and military operations, and said the timing and scope of its intrusions frequently coincide with major global events and regional security affairs, a pattern Unit 42 noted is similar to other China-linked campaigns.
Unit 42 said Phantom Taurus uses a bespoke malware suite called NET-STAR, developed in .NET to target Internet Information Services (IIS) web servers. The suite includes three web-based backdoors – IIServerCore, AssemblyExecuter V1 and AssemblyExecuter V2 – the company said, and described capabilities such as in-memory execution of .NET payloads, evasive techniques to bypass Antimalware Scan Interface and Event Tracing for Windows, and timestomping to hinder forensic analysis.
The report said the exact initial access vector is not clear, but prior intrusions weaponised vulnerable on-premises IIS and Microsoft Exchange servers using flaws such as ProxyLogon and ProxyShell. Unit 42 also described a shift from harvesting emails to directly targeting databases using a batch script that connects to SQL Server, exports results to CSV and is executed via Windows Management Instrumentation (WMI) to search methodically for documents of interest related to specific countries, including Afghanistan and Pakistan.
The company said Phantom Taurus has relied on shared operational infrastructure that has been used previously by groups such as AT27, APT41 and Mustang Panda, but that some infrastructure components have not been seen in other operations, suggesting a level of operational compartmentalisation. Unit 42 warned that the combination of custom tools and advanced evasion makes the actor a significant threat to internet-facing servers.