Phantom Taurus: China-Linked Hackers Target Global Governments

Over the past two and a half years, cybersecurity researchers have uncovered a sophisticated cyber-espionage campaign conducted by a newly identified China-aligned threat actor known as Phantom Taurus. 

The group has targeted government and telecommunications organizations across Africa, the Middle East, and Asia. 

Characterized by its stealth, persistence, and technical sophistication, Phantom Taurus represents a growing evolution of China-linked cyber operations aimed at long-term intelligence collection.

Origins of the Phantom Taurus group

Phantom Taurus was first identified by Palo Alto Networks’ Unit 42 in June 2023 under the label CL-STA-0043. 

Continued observation led to its elevation to a temporary group, TGR-STA-0043, as part of an espionage campaign called Operation Diplomatic Specter. 

By 2025, the group was formally designated as a distinct advanced persistent threat (APT) actor after extensive analysis of its tactics, techniques, and procedures (TTPs).

According to Unit 42 researcher Lior Rochberger, Phantom Taurus’s primary objective is espionage, with a specific focus on ministries of foreign affairs, embassies, defense operations, and geopolitical events. 

The group’s attacks align closely with China’s strategic and economic interests, particularly those involving diplomatic communications and defense intelligence.

Its operations often coincide with major global events and regional security developments, suggesting deliberate timing to exploit geopolitical tensions.

Advanced tools power a stealthy cyber espionage campaign

Phantom Taurus distinguishes itself from other Chinese APTs through its use of custom-built tools and rare operational techniques. 

The group’s latest campaigns feature an advanced malware suite called NET-STAR, a .NET-based framework designed to infiltrate Microsoft Internet Information Services (IIS) web servers. 

The suite comprises three modular web-based backdoors—IIServerCore, AssemblyExecuter V1, and AssemblyExecuter V2—each designed for fileless execution, persistence, and stealthy data exfiltration.

The IIServerCore component operates entirely in memory within the IIS worker process, executing commands and returning encrypted results through a secure command-and-control (C2) channel.

Its ability to timestomp files—manipulating digital timestamps to mislead forensic analysts—demonstrates the attackers’ advanced evasion techniques. 

The later versions of AssemblyExecuter, particularly V2, go even further by incorporating bypass mechanisms for Windows security defenses such as the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), allowing attackers to operate undetected in monitored environments.

Infrastructure and TTPs

The group’s infrastructure indicates both collaboration and compartmentalization within the Chinese cyber ecosystem. 

While Phantom Taurus shares some operational infrastructure with other Chinese-linked APTs such as Iron Taurus (APT27), Winnti (APT41), and Mustang Panda, it uses unique infrastructure elements not found in operations by those groups. 

This separation suggests a deliberate design to minimize exposure and maintain operational secrecy.

Initial access in many Phantom Taurus attacks has been achieved through the exploitation of known vulnerabilities in Microsoft Exchange and IIS servers.

Once inside a network, the group has shifted from traditional email theft to directly targeting databases. 

Using a custom batch script (mssq.bat) executed via Windows Management Instrumentation (WMI), the hackers extract data from SQL servers and export it in CSV format. 

This new focus on databases allows more precise targeting of sensitive governmental and geopolitical information.

Strategic implications

The emergence of Phantom Taurus underscores the persistence of state-aligned cyber espionage and the growing sophistication of China-linked threat actors. 

Unlike financially motivated cybercriminals, groups like Phantom Taurus focus on long-term access and intelligence gathering. 

Their operations reveal an emphasis on stealth and adaptability, allowing them to remain undetected for extended periods while harvesting valuable data.

The use of custom-developed malware such as NET-STAR demonstrates not only technical innovation but also a clear understanding of Western digital ecosystems. 

As governments and critical infrastructure across developing regions increasingly rely on digital platforms, they become prime targets for such advanced operations.

Collaboration is key to cyber resilience

Phantom Taurus represents a new phase in China-aligned cyber espionage. 

The group’s sustained campaigns, technical ingenuity, and evolving methodologies illustrate how nation-state hackers adapt to overcome traditional cybersecurity defenses. 

The discovery and formal classification of Phantom Taurus by Unit 42 highlight the importance of continuous monitoring and collaborative intelligence-sharing among cybersecurity teams.

As global geopolitical tensions persist, the operations of groups like Phantom Taurus will likely continue to evolve. 

Governments and private sector entities alike must enhance their detection capabilities, invest in defensive technologies, and strengthen international partnerships to counter this new wave of sophisticated cyber threats.