Chinese hacking group ‘Phantom Taurus’ targets governments

Cybersecurity researchers have identified a previously undocumented state-sponsored Chinese hacking group dubbed Phantom Taurus.

A new report from Palo Alto Networks’ Unit 42 threat intelligence team details a multi-year investigation into Phantom Taurus, revealing a campaign targeting governments and telecoms providers across the Middle East, Africa, and Asia.

The group’s primary objective is cyberespionage, with a focus on stealing sensitive, non-public information from high-value targets. Over the past two and a half years, Unit 42 has observed Phantom Taurus focusing its efforts on ministries of foreign affairs, embassies, and military operations, often timing its activities to coincide with geopolitical events in those regions.

The formal designation of Phantom Taurus marks the culmination of a patient tracking process into the Chinese hacking group that began in 2022. Initially, the activity was monitored as a cluster under the reference CLA-STA-0043. As researchers gathered more intelligence, the cluster was promoted in May 2024 to a temporary group, TGR-STA-0043, which was nicknamed Operation Diplomatic Specter. After continued observation, sufficient evidence was collected to formally classify the group as a distinct and new threat actor in 2025.

“This rare level of insight reflects the depth and duration of our investigation,” the report states, highlighting how long-term monitoring provides a more comprehensive understanding of an adversary’s evolution and strategic intent.

What distinguishes Phantom Taurus from other Chinese advanced persistent threat (APT) groups is its unique set of tactics, techniques, and procedures (TTPs). While the group utilises a shared operational infrastructure used by other known Chinese actors like Iron Taurus (APT27) and Stately Taurus (Mustang Panda), it maintains operational compartmentalisation by using specific components not seen in other campaigns. Their toolkit blends common hacking tools such as China Chopper and Impacket with a custom arsenal of malware, allowing them to conduct highly covert operations and maintain persistent access to compromised networks.

Recently, researchers have observed an evolution in the Chinese hacking group’s data collection methods. Since early 2025, Phantom Taurus has shifted its focus from primarily stealing emails of interest from compromised servers to targeting databases directly. The attackers were observed using a custom script named mssq.bat to connect to SQL servers and execute dynamic queries. This technique allowed them to search for specific documents and information, including intelligence related to countries such as Afghanistan and Pakistan.

Perhaps the most notable discovery is a previously undocumented custom malware suite named NET-STAR. This new toolset, a sophisticated .NET framework designed to compromise Internet Information Services (IIS) web servers, represents a leap in the actor’s capabilities. The name NET-STAR was derived from strings found in the malware’s program database (PDB) paths.

The NET-STAR suite demonstrates Phantom Taurus’ advanced evasion techniques and deep understanding of .NET architecture, posing a serious threat to internet-facing servers. It consists of three primary web-based backdoors. The main component – IIServerCore – is a fileless and modular backdoor that operates entirely within the memory of the IIS worker process, making it incredibly difficult to detect.

This backdoor is initially loaded by an ASPX web shell, after which it can receive and execute additional payloads, manage other web shells, access databases, and conduct file system operations, all while communicating through an encrypted channel. To further evade detection, the Chinese hacking group employed “timestomping,” a technique used to alter the timestamps of malicious files to match legitimate ones on the system, thereby confusing forensic analysis.

The suite also includes two versions of a malware loader named AssemblyExecuter. While the first version was a simple tool for executing .NET assemblies in memory, the second, newer version was enhanced with advanced evasion capabilities. This upgraded variant is equipped to bypass critical Windows security mechanisms, specifically the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), allowing it to operate undetected in more secure environments.

The sustained investigation and resulting classification of the Chinese hacking group Phantom Taurus show how adaptable and persistent modern state-sponsored threats are. Unit 42 says it has shared its findings with fellow members of the Cyber Threat Alliance (CTA) to help organisations bolster their defences.

See also: Tim Berners-Lee: The web is no longer open and free

Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events, click here for more information.

Telecoms is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.

Tags: advanced persistent threat, china, cybersecurity, geopolitics, government, hacking, infosec, malware, phantom taurus, Security, unit 42