Phantom Taurus: China’s Shadowy APT Targeting Governments and Telecoms with NET-STAR Malware

Listen to this Post

Featured Image

Introduction: A New Face in Chinese Cyber Espionage

In the world of state-backed cyber espionage, few developments are as concerning as the emergence of a new advanced persistent threat (APT). One of the latest to come into the spotlight is Phantom Taurus, a stealthy Chinese-linked group that has quietly operated for over two and a half years. Unlike many APTs that follow predictable patterns, Phantom Taurus is distinguished by its custom malware suite, highly tailored tactics, and ability to evolve its methods quickly. From targeting sensitive government ministries to infiltrating telecom providers, this group is carving out a unique position in Beijing’s digital intelligence arsenal. What makes them especially dangerous is their shift from stealing emails to compromising full databases, a tactical leap that signals the increasing sophistication of Chinese cyber operations.

Phantom Taurus: A Hidden Espionage Machine

For more than two years, Phantom Taurus has been active across Africa, the Middle East, and Asia, focusing on foreign ministries, embassies, and even military operations. Its campaigns were detected by researchers at Palo Alto Networks, who noted how the group’s persistence and stealth stood out from typical APT activity.

Phantom Taurus leverages shared Chinese cyber infrastructure, but what sets it apart are its custom-built tools such as Specter, Ntospy, and the newly uncovered NET-STAR malware suite. The Diamond Model analysis confirmed that this was not just another subdivision of an existing APT but a new, distinct group aligned with Chinese intelligence priorities.

Initially, their strategy centered around stealing sensitive emails. But in early 2025, a noticeable shift occurred: the group began targeting SQL Server databases. Using a script named mssq.bat, they exploited stolen credentials to connect to databases, run queries, export data, and terminate sessions. This method was deployed via Windows Management Instrumentation (WMI), showing their skill in automating stealthy operations. Particularly sensitive were documents connected to Afghanistan and Pakistan, suggesting the group’s work feeds directly into China’s geopolitical strategy.

NET-STAR: The Custom Malware That Defines Phantom Taurus

At the heart of Phantom Taurus operations lies NET-STAR, a .NET malware suite targeting IIS web servers. What makes NET-STAR dangerous is its fileless nature—executing entirely in memory, leaving little to no forensic footprint.

IIServerCore: Acts as the primary backdoor, deployed after a malicious web shell drops a Base64 payload. It establishes encrypted communication, executes arbitrary code, queries databases, and even manipulates timestamps to evade forensic detection.
AssemblyExecuter v1 and v2: These loaders execute .NET assemblies in memory. The second version adds AMSI and ETW bypasses, allowing operations in heavily monitored environments.

This combination enables Phantom Taurus to maintain persistence, conduct espionage, and evade detection for long periods, marking them as one of the more advanced Chinese-linked actors identified to date.

Distinctive Traits That Separate Phantom Taurus

What makes Phantom Taurus stand out is not just the malware it uses, but also its operational discipline:

Stealth first approach: Long-term, low-noise infiltrations.

Strategic targeting: Ministries, embassies, and telecom networks tied to geopolitical flashpoints.

Technical sophistication: Fileless execution, timestomping, and advanced obfuscation.

While China has a long list of known APTs, this group’s unique toolkit and evolving strategy elevate it to a new category of threat.

What Undercode Say:

Analyzing Phantom Taurus requires looking beyond the technical details and focusing on the broader strategic picture. Here are the key takeaways:

  1. Shift in Operational Focus: The move from stealing emails to direct database targeting is more than just a tactical adjustment. It represents a deeper hunger for structured intelligence—spreadsheets, classified reports, and datasets that email theft alone cannot provide. This indicates Beijing’s intelligence operations are maturing in both scope and precision.

  2. Database Targeting and Geopolitics: The choice of targeting countries like Afghanistan and Pakistan is telling. These regions are strategic to China due to their proximity to critical projects under the Belt and Road Initiative and their military ties. Extracting diplomatic and defense data directly from databases ensures Beijing maintains an edge in regional intelligence.

  3. Persistence as a Strategic Asset: Phantom Taurus has shown that stealth and longevity are more valuable than flashy, destructive attacks. This persistence mirrors China’s broader strategy—slow, patient, and methodical accumulation of power.

  4. Custom Tools Equal Independence: Many Chinese APTs share infrastructure and even malware families. By developing unique suites like NET-STAR, Phantom Taurus gains independence and specialization, reducing its risk of exposure through shared tools and signaling a higher investment from state sponsors.

  5. Blurring Cyber and Geopolitical Lines: Phantom Taurus’s campaigns are not random—they align with China’s strategic priorities, from securing intelligence on diplomacy to monitoring military alliances. Cyber operations are simply the extension of foreign policy, and Phantom Taurus exemplifies this.

  6. Comparison to Other APTs: While groups like APT10 and APT41 focused on large-scale data theft and espionage, Phantom Taurus specializes in precision operations. This suggests a shift in China’s cyber doctrine toward quality over quantity in intelligence gathering.

  7. Future Risks: If Phantom Taurus successfully scales its database operations, we could see financial institutions, energy grids, and defense contractors as future targets. By proving their ability to move from email to database exploitation, they’ve unlocked a door to far more sensitive sectors.

  8. Cybersecurity Implications: For defenders, Phantom Taurus underscores the importance of database security, which historically receives less focus than endpoints or email servers. This evolution should be a wake-up call: critical infrastructure databases are the new frontline.

Fact Checker Results

✅ Phantom Taurus is confirmed as a new, distinct Chinese APT discovered by Palo Alto Networks.
✅ The group has shifted from email theft to SQL database targeting in 2025.
❌ No evidence yet that they have moved beyond espionage into sabotage operations.

Prediction

Phantom Taurus is unlikely to fade into obscurity. Instead, its tactical shift toward database targeting suggests the next stage of cyber espionage will prioritize structured, highly valuable intelligence rather than scattered email collections. Expect Phantom Taurus to expand its operations into financial systems, defense contractors, and energy sectors, all while refining fileless persistence techniques that make detection extremely difficult. If this trend continues, Phantom Taurus may soon emerge as one of the most formidable Chinese APTs of the decade.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: securityaffairs.com
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon