Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite

Sept. 30, 2025, 8:12 p.m.

Description

Phantom Taurus, a newly identified Chinese state-sponsored threat actor, has been conducting espionage operations targeting government and telecommunications organizations across Africa, the Middle East, and Asia. The group's primary focus includes ministries of foreign affairs, embassies, and military operations, with the objective of gathering sensitive information. Phantom Taurus employs distinctive tactics, techniques, and procedures, including a new malware suite called NET-STAR. This suite consists of three web-based backdoors designed to target Internet Information Services (IIS) web servers. The group has recently shifted from targeting emails to directly accessing databases, demonstrating their ability to adapt and evolve their methods. Phantom Taurus' activities align with Chinese strategic interests, and their infrastructure overlaps with other known Chinese APT groups.

External References

https://unit42.paloaltonetworks.com/phantom-taurus/
https://otx.alienvault.com/pulse/68dc119747c51064f96051fc
Tags
espionage
plugx
government
africa
gh0st rat
telecommunications
china chopper
middle east
chinese apt
asia
iis backdoor
2025-09-30
ntospy
specter
iiservercore
assemblyexecuter
net-star
database targeting

Date

  • Created: Sept. 30, 2025, 5:21 p.m.
  • Published: Sept. 30, 2025, 5:21 p.m.
  • Modified: Sept. 30, 2025, 8:12 p.m.

Indicators

  • eeed5530fa1cdeb69398dc058aaa01160eab15d4dcdcd6cb841240987db284dc
  • b76e243cf1886bd0e2357cbc7e1d2812c2c0ecc5068e61d681e0d5cff5b8e038
  • afcb6289a4ef48bf23bab16c0266f765fab8353d5e1b673bd6e39b315f83676e
  • 3e55bf8ecaeec65871e6fca4cb2d4ff2586f83a20c12977858348492d2d0dec4
Download all indicators here!

Attack Patterns

  • Phantom Taurus

Additional Informations

  • Telecommunications
  • Government
  • Afghanistan
  • Pakistan