Phantom Taurus: New Chinese APT Emerges with Fileless NET-STAR Backdoor Targeting Global Governments and Telecoms

Researchers from Unit 42 have uncovered a previously undocumented Chinese state-aligned threat actor, dubbed Phantom Taurus, whose espionage operations have been active for more than two years. The group primarily targets government and telecommunications organizations across Africa, the Middle East, and Asia, with a strong focus on foreign affairs, embassies, and military operations.

According to Unit 42, “Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests.”

This group was originally tracked as an activity cluster named CL-STA-0043. In June 2023, Unit 42 published its first report, and by May 2024, the activity was temporarily promoted to Operation Diplomatic Specter. Now, after nearly three years of sustained investigation, researchers confirm Phantom Taurus as a distinct APT within the Chinese nexus.

“After sustained observation and intelligence collection over the past year, we have accumulated sufficient evidence to classify the temporary group as a new threat actor,” the researchers wrote.

What sets Phantom Taurus apart is its unique tactics, techniques, and procedures (TTPs). The group demonstrates “stealth, persistence and an ability to quickly adapt their tactics.” Unlike other Chinese APTs, it employs rare custom-developed tools, including the Specter malware family, Ntospy, and a newly discovered malware suite called NET-STAR.

The targeting aligns closely with China’s geopolitical interests. “The group primarily targets government entities and government service providers across the Middle East, Africa and Asia. The targeting patterns align consistently with the People’s Republic of China (PRC) economic and geopolitical interests.”

Unit 42 observed a tactical shift in early 2025: Phantom Taurus has moved beyond simply stealing sensitive emails to directly targeting databases.

Researchers found the group using a malicious script named mssq.bat, which connects to SQL databases using administrator credentials stolen in earlier intrusions. The script allows attackers to dynamically query, extract, and export results of interest, often related to regional geopolitical topics such as Afghanistan and Pakistan.

Perhaps the most significant revelation is NET-STAR, a custom .NET malware suite designed to compromise Microsoft IIS web servers. Unit 42 describes it as “a previously undocumented custom tool in Phantom Taurus’ arsenal called NET-STAR.”

The suite includes three components:

• IIServerCore – A modular, fileless IIS backdoor that executes commands and payloads entirely in memory.
• AssemblyExecuter V1 – Loads and executes additional .NET payloads in memory.
• AssemblyExecuter V2 – An evolved version with AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows) bypass capabilities for stealth.

The IIServerCore backdoor is particularly dangerous: “It operates entirely in memory within the w3wp.exe IIS worker process, supports file system operations, arbitrary code execution, database access, web shell management, and encrypted C2 communication.”

To further avoid detection, Phantom Taurus employs timestomping, modifying compilation timestamps to future dates and altering file metadata to confuse forensic investigators.

Unit 42’s attribution is based on the Diamond Model, which ties Phantom Taurus to the broader Chinese APT ecosystem through infrastructure, victimology, and toolset overlap.

“Phantom Taurus uses a shared Chinese APT operational infrastructure that has been exclusively used by Chinese threat actors, including Iron Taurus (APT27), Starchy Taurus (Winnti) and Stately Taurus (Mustang Panda).”

However, the infrastructure remains compartmentalized, suggesting Phantom Taurus operates independently within the ecosystem.

Related Posts:

• Chinese APT Stately Taurus Exploits Visual Studio Code in Cyberespionage Attacks
• Chinese APTs Target ASEAN Entities, Stealing Sensitive Diplomatic and Economic Data
• Stately Taurus Cyber Attacks in Southeast Asia Tied to Bookworm Malware
• Phantom Goblin Malware: Stealthy Attacks via VSCode Tunnels
• FBI arrests CEO Phantom who sold customized BlackBerry to Sinaloa drug trafficking group