Meet Phantom Taurus, the stealth Chinese espionage group you’ve never heard of
Phantum Taurus, a “highly covert” nation-state threat actor linked to China, has been observed stepping up its espionage attacks on foreign governments, militaries, and associated entities, Palo Alto reveals on Tuesday.
-
Phantom Taurus is a newly identified Chinese state-linked espionage group targeting governments and telecoms across Africa, the Middle East, and Asia.
-
The group uses a custom-built malware suite called NET-STAR, enabling covert, long-term access to victims' networks.
-
Researchers say its tactics are rare and highly sophisticated, distinguishing it from other known Chinese APTs.
The previously undocumented advanced persistent threat (APT) was first observed as a “cluster of activity” about two and a half years ago by researchers at Palo Alto’s threat intelligence division, Unit 42.
Said to primarily target “government and telecommunications organizations across Africa, the Middle East, and Asia," researchers say the espionage-fueled group has recently pivoted to employ a distinctive set of tactics, techniques, and procedures (TTPs) worthy of an official write-up.
The evolution of a new threat group: Read how we identified APT Phantom Taurus after tracking their activity for years. We describe the attribution process before expanding upon the group's NET-STAR malware suite.https://t.co/1JrdcmaLQY pic.twitter.com/owPX5xdqZn
undefined Unit 42 (@Unit42_Intel) September 30, 2025
Aligned with the classic geopolitical motives of the People’s Republic of China (PRC), Unit 42 describes the group’s attacks as typical of the Chinese nation-state nexus: stealthy, persistent, and highly adaptable.
The detailed security report further warns about a “previously undocumented custom tool” now being used to target victims, dubbed “NET-STAR.”
The NET-STAR malware suite has enabled Phantom Taurus to “conduct highly covert operations and maintain long-term access to critical targets,” the research states.
“Primary objective is espionage”
The group had been previously identified by Unit 42 as “CL-STA-0043” in June 2023, and then “TGR-STA-0043” the following year.
If “Operation Diplomatic Specter” rings a bell, it was the first nickname bestowed upon the espionage campaign by Unit 42 after officially recognizing the outfit as a temporary threat in May 2024.
The researchers say that after mapping the cluster’s activities over time and then overlapping its TTPs with other known Chinese nation-state groups, it became apparent they were dealing with an entirely new threat actor.
Since then, the group is said to have narrowed its focus to infiltrating “ministries of foreign affairs, embassies, geopolitical events, and military operations” to gain unauthorized access to “sensitive, non-public information," typically found within entities that provide "services and infrastructure.”
“We observed that the group takes an interest in diplomatic communications, defense-related intelligence, and the operations of critical governmental ministries,” Unit 42 states.
What’s more, the Beijing-backed APT is said to strategically time its attacks to coincide with major global events and regional security affairs.
Rarely observed TTPs
The threat actors’ NET-STAR tools and “rarely observed” TTPs in the wild make Phantom Taurus not only a sophisticated and dangerous threat, but set it apart from other well-known Chinese nation-state hackers, according to the researchers.
“Several of the techniques have not been observed in operations by other groups, while others are sufficiently rare that only a handful of actors have been observed using similar methods,” it said.
Have thoughts about this topic? Others do, too. Join them in the discussion.
For example, a previous write-up by Unit 42 shows that even back in 2023, the APT was first observed using "a novel Exchange email exfiltration technique" deployed to infiltrate only a few selected targets. Now it appears, the focus has shifted from simple email exfiltration to stealing entire databases.
The unique NET-STAR malware suite is seen as a significant threat to internet-facing servers, and is said to demonstrate “advanced evasion techniques and a deep understanding of .NET architecture.”
Named after “the STAR string in its program database (PDB) paths,” Unit 42 says NET-STAR was explicitly created to target Internet Information Services (IIS) web servers, and built to house three distinct web-based backdoors – IIServerCore, AssemblyExecuter V1, and AssemblyExecuter V2.
Furthermore, each backdoor has been identified as serving “a specific role in the attack chain while maintaining persistence within the target’s IIS environment.”
Besides the advanced NET-STAR malware suite, Phantom Taurus’ capabilities are said to include security tools such as Impacket, Yasso penetration toolkit, Samba SMBClient, and other Windows-native tools. Malware families deployed on its victims include Specter malware, Agent Racoon, NtoSpy, Gh0st RAT, and China Chopper.
As for its arsenal of techniques, the APT has engaged in running an in-memory Visual Basic script implant to act as a web shell, stealing credentials by misusing the network providers, and, as previously mentioned, stealing emails by misusing the Exchange Management Shell entity, the researchers say.
Palo Alto Networks says it has already upgraded several of its popular products, such as its Advanced WildFire machine-learning models and Cortex XDR, to better protect against the threat, and has also shared its findings with fellow Cyber Threat Alliance (CTA) members, recommending they do the same.
