A previously undocumented China-aligned nation-state actor, tracked as ‘Phantom Taurus,’ has spent the past two-and-a-half years carrying out stealthy cyber espionage campaign against government and telecommunications organizations across Africa, the Middle East and Asia, Palo Alto Networks’ Unit 42 says.
Unit 42 researchers say Phantom Taurus focuses on ministries of foreign affairs, embassies, geopolitical events and military operations for long-term intelligence gathering and the theft of confidential data that could be of interest to China.
Initially, the threat cluster was tracked as CL-STA-0043 but later reclassified as TGR-STA-0043. Unit 42 says the group blends custom tooling with shared operational infrastructure.
Phantom Taurus has deployed a novel .NET malware suite named NET-STAR, designed to compromise Internet Information Services (IIS) web servers, alongside other custom backdoors that maintain encrypted command-and-control channels and enable in-memory execution of additional payloads.
At the same time, the threat actor has used infrastructure previously seen in operations by groups such as APT27 (LuckyMouse or Emissary Panda), APT41 and Mustang Panda, though some infrastructure appears unique to Phantom Taurus.
Earlier intrusions appear to have exploited known flaws in on-premises IIS and Microsoft Exchange servers, including ProxyLogon and ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
The group has used WMI-executed batch scripts to connect to SQL Server instances, export query results to CSV, and quietly exfiltrate information focused on countries including Afghanistan and Pakistan.