New China-Linked APT “Phantom Taurus” Deploys NET-STAR to Infiltrate Governments

A hitherto unidentified Chinese-aligned advanced persistent threat group named Phantom Taurus has escalated cyber-espionage activities against government and telecommunications targets across Asia, Africa and the Middle East, employing a newly uncovered. NET malware suite called NET-STAR to penetrate Internet Information Services servers. Researchers say its refined tactics and stealthy architecture make it among the most sophisticated China-linked spy campaigns to date.

Security analysts attribute Phantom Taurus to a formal naming by Palo Alto Networks’ Unit 42, elevating it from previously tracked clusters CL-STA-0043 and TGR-STA-0043. The group has focused on ministries of foreign affairs, embassies, telecom infrastructure, and diplomats, extracting sensitive diplomatic, defense and geopolitical intelligence.

Phantom Taurus differentiates itself by pragmatic access strategies rather than broad phishing campaigns. It exploits known IIS or Exchange server vulnerabilities—such as ProxyLogon and ProxyShell—to gain entry. Once inside, the group deploys NET-STAR, a stealthy, in-memory malware suite designed to evade detection. The suite’s components include a core backdoor and dual loaders, the latter of which can bypass Antimalware Scan Interface and Event Tracing for Windows. Analysts describe the approach as “fileless,” meaning no payload is written to disk, leaving minimal forensic traces.

In parallel, Phantom Taurus has pivoted away from email harvesting to directly targeting SQL Server databases. Using a script dubbed mssq. bat, the threat actors connect via stolen credentials, issue targeted queries, export results to CSV, and exit the system—all orchestrated via Windows Management Instrumentation. As reported, the group has focused searches on information tied to Afghanistan, Pakistan and other strategic countries.

Attribution is backed by a mix of unique TTPs, infrastructure overlaps with known Chinese groups, and victimology patterns. However, Unit 42 emphasises that the NET-STAR toolkit is novel and currently unmatched by other firms. Some of the domain registration practices, hosting providers, and IP reuse among infrastructure hint at compartmentalised operations within China’s broader espionage ecosystem.

Cyber-defence vendors caution that the in-memory approach inherent in NET-STAR renders conventional antivirus and endpoint detection systems less effective. The malware’s timestomping capabilities also manipulate file metadata to mask creation and modification dates, further obscuring evidence. Indicators of compromise include anomalous IIS operations, suspicious WMI-triggered SQL queries and tampered ASPX web shell files.