China-linked APT Phantom Taurus targets government and telecom orgs with Net-Star malware for espionage, using unique tactics over two years.
China-nexus APT Phantom Taurus has targeted government and telecom organizations for espionage, using Net-Star malware and distinct TTPs.
Phantom Taurus is a previously undocumented Chinese APT, it has targeted entities in Africa, the Middle East, and Asia for over 2.5 years. The APT’s campaigns focused on foreign ministries, embassies, geopolitical events, and military operations. Palo Alto Networks researchers conducts stealthy, persistent espionage. Its unique TTPs and the custom NET-STAR tool enable covert, long-term access, distinguishing it from other Chinese APTs.
The experts first spotted the group in 2023, it conducted highly covert operations and maintained long-term access to high-profile targets.
Phantom Taurus uses shared Chinese APT infrastructure but distinct components. Its unique TTPs and custom tools, including Specter, Ntospy, and NET-STAR, differentiate it from other actors. Using the Diamond Model, researchers confirmed that observed activities represent a new, separate threat actor aligned with Chinese strategic intelligence priorities.
Phantom Taurus shifted from stealing emails to targeting databases in early 2025. They used a script, mssq.bat, to connect to SQL Server databases with compromised credentials. Then attackers execute queries, export results to CSV, and close connections. They deployed the script via WMI, focusing on documents related to countries like Afghanistan and Pakistan. This marks a tactical evolution from their previous email-focused operations.
“Our continuous monitoring of Phantom Taurus activities has revealed a tactical evolution that we first observed in early 2025. Since 2023, Phantom Taurus has focused on stealing sensitive and specific emails of interest from email servers, as we described in a previous article.” reads the report published by the researchers. “However, our telemetry indicates a shift from this email-centric methodology to the direct targeting of databases.”
The China-linked APT deployed the previously undetected .NET malware suite named NET‑STAR that targets IIS web servers. Analysts found NET‑STAR strings in PDB paths and Base64 data, linking the tool to the group. The suite includes three web backdoors:
- ISServerCore: a fileless, modular backdoor that runs payloads in‑memory;
- AssemblyExecuter V1: loads and executes additional .NET payloads in memory;
- AssemblyExecuter V2: an enhanced loader that also bypasses AMSI and ETW. NET‑STAR shows advanced .NET evasion and poses a serious risk to internet‑facing servers.
IIServerCore acts as the primary, fileless IIS backdoor in the NET‑STAR suite, loading and running entirely in memory under the w3wp.exe process after a web‑shell (OutlookEN.aspx) drops a Base64 payload. It establishes encrypted AES C2 sessions, tracks state via cookies, and dynamically loads .NET assemblies from Base64. It supports file I/O, database queries, arbitrary code execution, web‑shell management and AMSI evasion, all without leaving any artifact on the disk. Operators timestomp files and use a changeLastModified command to hide compile timestamps and frustrate forensics.
NET‑STAR also includes two AssemblyExecuter loaders: v1 loads and runs .NET assemblies in memory, while v2 adds selective AMSI and ETW bypass routines for operation in heavily monitored environments. Together, these components enable stealthy, persistent, in‑memory attack chains against internet‑facing IIS servers.
“This group’s distinctive modus operandi, combined with its advanced operational practices, sets Phantom Taurus apart from other Chinese APT groups. ” concludes Palo Alto Networks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
Laisser un commentaire