SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Masked figures dark clothing computers dim room digital maps asia africa cyber espionage
#
Malware
#
Firewalls
#
Advanced Persistent Threat Protection

Phantom Taurus: new Chinese group targets governments in Asia & Africa

Thu, 2nd Oct 2025
Author image
By Shannon Williams, News Editor

Unit 42 researchers have revealed the existence of Phantom Taurus, a newly identified Chinese state-sponsored threat actor targeting government and telecommunications organisations across Africa, the Middle East, and Asia.

According to Unit 42's findings, Phantom Taurus has been conducting espionage operations aligned with the interests of the People's Republic of China over the past two and a half years. The group's activities include targeting ministries of foreign affairs, embassies, diplomatic missions, and critical telecommunications infrastructure, with a primary objective of collecting sensitive, non-public information.

Distinctive operations

The research highlights that Phantom Taurus operates using previously undocumented tactics and custom malware, distinguishing it from other known Chinese advanced persistent threat (APT) groups. Unit 42 describes the group as "well-resourced, geopolitically aware, and poses a formidable, ongoing threat with a primary geographic focus on Africa, the Middle East, and Asia."

Phantom Taurus has demonstrated persistent and adaptive attack methods. In cases where the threat actor's presence is discovered inside a target network, they reportedly regroup and re-enter within hours or days rather than retreat for extended periods, a behaviour considered unusual compared with most threat actors.

Their approach is further differentiated by a dual-mission focus: targeting both high-level geopolitical intelligence and technical infrastructure. Instead of relying on widespread phishing attacks, Phantom Taurus conducts detailed research to compromise critical systems directly, bypassing users and enabling the theft of entire mailboxes or establishing persistent data collection footholds.

Custom toolsets

Unit 42's investigation uncovered that Phantom Taurus employs an arsenal of unique tools and techniques, including a new malware suite named NET-STAR. This suite is designed to target Internet Information Services (IIS) web servers and is made up of three web-based backdoors, each intended for a specific role:

  • IIServerCore - a fileless, modular backdoor enabling in-memory execution of commands and payloads
  • AssemblyExecuter V1 - designed to load and execute additional .NET payloads in memory
  • AssemblyExecuter V2 - an evolved version with additional capabilities to bypass security controls

The NET-STAR suite enables attackers to maintain persistence on targeted IIS servers, avoid detection by remaining in memory only, and bypass key security features such as the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW).

"Our observations show that Phantom Taurus' main focus areas include ministries of foreign affairs, embassies, geopolitical events and military operations. The group's primary objective is espionage. Its attacks demonstrate stealth, persistence and an ability to quickly adapt their tactics, techniques and procedures (TTPs)," the Unit 42 report notes.

Tactical evolution

The researchers identified an evolution in Phantom Taurus' data collection methods. While earlier campaigns involved stealing sensitive emails from mail servers, more recent activity has shifted towards compromising databases directly. The group was observed using custom scripts and leveraging Windows Management Instrumentation (WMI) to collect targeted data from SQL Server databases.

"Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People's Republic of China (PRC) state interests. Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia."

Custom-developed scripts such as 'mssq.bat' facilitate access to databases using previously obtained credentials, enabling targeted data exfiltration by executing custom queries and exporting results without user involvement.

Infrastructure and attribution

The attribution process described in the report utilised the Diamond Model, a framework for analysing cyber threat actors. Phantom Taurus operates from infrastructure related to other known Chinese APT groups, including Iron Taurus, Starchy Taurus, and Stately Taurus. However, elements unique to Phantom Taurus indicate operational compartmentalisation.

The group's focus on "high-value organisations that have access to sensitive non-public information," coupled with its use of tools rare or unique on the broader threat landscape, further supports the link to Chinese state interests and sets the group apart from previously identified APT actors.

"This group's distinctive modus operandi, combined with its advanced operational practices, sets Phantom Taurus apart from other Chinese APT groups. The designation of this group as a distinct Chinese APT is supported by multiple attribution factors, as illustrated in the Diamond Model of attribution," the Unit 42 researchers stated.

Capabilities and commands

The IIServerCore backdoor in the NET-STAR suite includes 11 methods, delivering a variety of functionalities from file system operations, code execution, web shell management, to antivirus evasion and encrypted communications. Among the backdoor's features are the abilities to execute arbitrary .NET code, run SQL commands, and manage multiple web shells, all with memory-only execution to elude disk-based detection.

The report also details commands embedded in the malware for file management, command execution, SQL queries, and security bypasses, some of which are seldom seen among known APT malware.

Implications for organisations

Palo Alto Networks has updated its products' detection capabilities in response to the findings. The company also indicated it has shared these findings for coordinated response and protection within the broader cybersecurity community.

Unit 42's research highlights the importance of long-term monitoring in identifying new threat actors. The evolution from an initial cluster (CL-STA-0043) to a formally named actor - Phantom Taurus - was the result of sustained intelligence collection, providing rare insight into the group's persistence, adaptability and evolving tactics over multiple years.

Companies operating government services, diplomatic missions, or telecommunications infrastructure in Africa, the Middle East, and Asia are encouraged to review security controls and monitor for activity related to the indicators of compromise detailed in the report. The technical data provided by Unit 42 includes hashes for various malware components and a list of primary tactics, techniques and procedures (TTPs) observed in Phantom Taurus operations.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
ADLINK gains IEC 62443-4-1 nod for secure edge R&D
Agentic AI double agents expose dangerous security gaps
Ping Identity names Adnan Chaudhry Chief Revenue Officer
Kyowon, Instagram cases expose APAC identity flaws
CrowdStrike to buy Seraphic to secure browser sessions

Top stories

Instagram denies breach after 17m user records leak
Target locks down Git after major source code leak
Black Hat to debut cyber war room documentary in Vegas
2026: Resilience, the new foundation of cybersecurity
AI’s 2026 security fallout: identity chaos & deepfake fear