{"id":5154,"date":"2025-10-01T21:58:11","date_gmt":"2025-10-01T21:58:11","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5154"},"modified":"2025-10-01T21:58:11","modified_gmt":"2025-10-01T21:58:11","slug":"chinese-apt-group-phantom-taurus-targets-gov-and-telecom-organizations","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5154","title":{"rendered":"Chinese APT group Phantom Taurus targets gov and telecom organizations"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Researchers have documented a previously unknown threat actor that aligns with China\u2019s intelligence collection interests. The group primarily targets government and telecommunications organizations from Africa, the Middle East, and Asia with the goal of maintaining long-term covert access to critical systems.<\/p>\n<p>Over the past two years researchers from Palo Alto Networks have investigated separate clusters of malicious activity that have now been attributed to the same group: <a href=\"https:\/\/unit42.paloaltonetworks.com\/phantom-taurus\/\">Phantom Taurus<\/a>. Before, the company tracked these attacks under temporary names, such as CL-STA-0043, TGR-STA-0043, or <a href=\"https:\/\/unit42.paloaltonetworks.com\/operation-diplomatic-specter\/\">Operation Diplomatic Specter<\/a>.<\/p>\n<p>\u201cOur observations show that Phantom Taurus\u2019 main focus areas include ministries of foreign affairs, embassies, geopolitical events, and military operations,\u201d the researchers wrote in their new report. \u201cThe group\u2019s primary objective is espionage. Its attacks demonstrate stealth, persistence and an ability to quickly adapt their tactics, techniques and procedures (TTPs).\u201d<\/p>\n<p>Part of the group\u2019s extensive toolset of custom-developed malware tools includes a suite of three previously undocumented backdoors for Microsoft Internet Information Services (IIS) web servers that the researchers dubbed NET-STAR. Other tools include in-memory Visual Basic script implants, a malware family called Specter that includes the TunnelSpecter DNS tunneling program and SweetSpecter remote access trojan, Agent Racoon, PlugX, Gh0st RAT, China Chopper, Mimikatz, Impacket, and many other dual-use tools and system administration utilities.<\/p>\n<h2 class=\"wp-block-heading\">A change in tactics<\/h2>\n<p>Previously, Phantom Taurus focused on harvesting mailboxes of interest from Exchange servers that were compromised using known vulnerabilities such as ProxyLogon (CVE-2021-26855) and <a href=\"https:\/\/www.csoonline.com\/article\/571223\/unpatched-exchange-servers-an-overlooked-risk.html\">ProxyShell<\/a> (CVE-2021-34473). But this year the researchers noticed that the attackers had started searching for and extracting data from SQL databases.<\/p>\n<p>The group uses the Windows Management Instrumentation (WMI) tool to execute a script called mssq.bat that connects to an SQL database using the sa (system administrator) ID with a password previously obtained by the attackers. It then performs a dynamic search for specific keywords specified in the script, saving the results as a CSV file.<\/p>\n<p>\u201cThe threat actor used this method to search for documents of interest and information related to specific countries such as Afghanistan and Pakistan,\u201d the researchers said.<\/p>\n<h2 class=\"wp-block-heading\">NET-STAR malware suite<\/h2>\n<p>A newly discovered addition to Phantom Taurus\u2019 toolset this year is a set of web-based backdoors designed to interact with IIS web servers.<\/p>\n<p>The main component, called IIServerCore, operates within the memory of the w3wp.exe IIS worker process and is capable of loading other fileless payloads directly into memory, executing arbitrary commands and command-line arguments.<\/p>\n<p>\u201cThe initial component of IIServerCore is an ASPX web shell named OutlookEN.aspx,\u201d the researchers wrote. \u201cThis web shell contains an embedded Base64-compressed binary, the IIServerCore backdoor. When the web shell executes, it loads the backdoor into the memory of the w3wp.exe process and invokes the Run method, which is the main function of IIServerCore.\u201d<\/p>\n<p>Another component, called AssemblyExecuter V1, is designed to execute .NET assembly bytecode in memory, whereas the enhanced version, AssemblyExecuter V2, is capable of bypassing the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW).<\/p>\n<p>\u201cThe component\u2019s seemingly benign code structure results in minimal flagging by antivirus engines on VirusTotal, at the time of writing this article,\u201d the researchers said. \u201cThis demonstrates a technique that threat actors can use to create tools that avoid overt code, which detection systems might interpret as malicious.\u201d<\/p>\n<p>Phantom Taurus uses APT operational infrastructure associated in the past exclusively with other Chinese threat actors, such as Iron Taurus (aka APT27), Starchy Taurus (aka Winnti), and Stately Taurus (aka Mustang Panda). However, the specific infrastructure components used by Phantom Taurus have not been observed with the other groups, suggesting this is a separate group that compartmentalizes its operations.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Researchers have documented a previously unknown threat actor that aligns with China\u2019s intelligence collection interests. The group primarily targets government and telecommunications organizations from Africa, the Middle East, and Asia with the goal of maintaining long-term covert access to critical systems. Over the past two years researchers from Palo Alto Networks have investigated separate clusters [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5155,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5154","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5154"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5154"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5154\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5155"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}