Phantom Taurus: a new China-linked hacking group

A new, previously undocumented state-sponsored cyber espionage actor has emerged: Phantom Taurus. Researchers from Palo Alto Networks Unit 42 have tracked this China-linked group for more than two and a half years. It mainly targets governmental and telecommunications organizations in Africa, the Middle East, and Asia. Targets include foreign ministries, embassies, geopolitical events, and military operations, with the primary goal of stealing sensitive, non-public data. The attacks focus on stealth, persistence, and adaptability, employing unique TTPs (tactics, techniques, and procedures) rarely seen in the threat landscape.

Why is Phantom Taurus a threat in 2025?

In today's world of growing geopolitical tensions, sophisticated state-sponsored cyber threats pose risks far beyond the infrastructures of major powers. Phantom Taurus demonstrates how high-value targets, including diplomatic missions, government contractors, and telecommunications providers, remain exposed to highly organized and persistent attackers.

A few reasons why this threat deserves attention:

• Global reach: The group’s operations stretch from the Middle East to Asia, and its tools and techniques can be easily adapted for use in other regions.
• Custom toolsets: The group uses proprietary malware families such as Specter, NtoSpy, and the newly discovered NET-STAR suite, which runs on the .NET platform and is difficult to detect.
• Shift in data collection: From email-based data theft in 2023, the group pivoted to direct database access by 2025, executing targeted SQL queries with its mssq.bat script and exporting results as CSV files.
• Rare TTPs: They employ uncommon techniques, like timestomping and fileless execution-rarely seen in other actor profiles.

Main TTPs of Phantom Taurus

Over recent years, researchers have documented the group’s most important tactics and techniques. These insights are not only valuable to experts but to any organization handling sensitive information.

Initial Access: The group exploits known but unpatched vulnerabilities in Microsoft Exchange or IIS servers (such as ProxyLogon and ProxyShell) to gain entry into networks.

Living-off-the-Land: Attackers use Windows Management Instrumentation (WMI) to remotely execute the mssq.bat script, evading traditional antivirus defenses.

Database Exfiltration: The mssq.bat script connects to SQL servers with administrative (SA) privileges, runs predefined queries, and exports the results to CSV files. Using WMI execution, the entire process can remain fileless and log-free.

Timestomping and Obfuscation: They manipulate the timestamps of loaded web shells and backdoor files (via changeLastModified) to make them appear old and legitimate, hindering forensic investigation.

Special Toolset: In addition to standard tools like China Chopper, Impacket, and the Potato suite, Phantom Taurus relies on proprietary software such as Specter, NtoSpy, and NET-STAR.

The NET-STAR malware suite

At the core of the group’s latest arsenal is the previously unknown .NET-based malware suite NET-STAR, designed to compromise IIS web servers. NET-STAR consists of three components:

• IIServerCore: A fileless, modular backdoor that loads additional payloads into memory based on HTTP requests, executes commands, and communicates over encrypted channels.
• AssemblyExecuter v1: The 2024 variant capable of loading and executing .NET assemblies directly in memory without writing them to disk.
• AssemblyExecuter v2: The more advanced 2025 version, which also runs assemblies in memory and includes AMSI and ETW bypass techniques (Antimalware Scan Interface and Event Tracing for Windows).

The IIServerCore component is loaded via a web shell named OutlookEN.aspx and operates entirely within the memory of the w3wp.exe process. It supports receiving payloads and arguments, executing filesystem operations, running SQL commands, and evading antivirus tools.

What can organizations do?

Although Phantom Taurus is a complex and persistent threat, the risk can be substantially reduced with the right defensive measures.

Continuous patching: Apply the latest security updates to Exchange and IIS servers, especially those addressing ProxyLogon and ProxyShell.

Monitor WMI activity: Alert on suspicious WMI commands that execute remote BAT scripts or interact with SQL servers.

Process and file telemetry: Use modern EDR/XDR capable of detecting and blocking memory-resident, fileless malware.

Network segmentation and least privilege: Limit admin account usage and segment DB/app servers to prevent lateral movement.

Security awareness: Keep teams up to date on threat intel and current TTPs, and rehearse incident response workflows.

Relevance to the Hungarian context

While Phantom Taurus is currently most active in the Middle East, Africa, and Asia, Hungarian organizations should prepare for similar TTPs. Methods such as fileless IIS backdoors and SQL-centered data theft are transferable to other regions. Government, diplomatic, and critical infrastructure entities in Hungary should prioritize security audits, architecture reviews, and stronger logging/detection. Third-party software (for example, telecom providers) should also be scrutinized, as Phantom Taurus often leverages indirect channels.

What types of organizations are the main targets?

Phantom Taurus primarily targets government entities, ministries of foreign affairs, embassies, military and diplomatic institutions, as well as telecommunications service providers. These organizations possess the sensitive, non-public information the group seeks to obtain.

How can the presence of NET-STAR be identified?

NET-STAR usually loads from a web shell named OutlookEN.aspx and runs inside the w3wp.exe process. Unusual network requests, spikes in the process’s memory usage, or mysterious Base64-encoded POST requests may indicate infection. Due to the built-in changeLastModified command, related file timestamps may suspiciously point to the future.

Why did the group shift from email exfiltration to database theft?

While emails can yield valuable intelligence, the group observed that structured databases provide faster and more targeted access to high-value information (for example, diplomatic cables or defense documentation). The mssq.bat script executes dynamic queries to extract keyword-linked records from SQL servers.

We can help you prevent and detect

If you notice suspicious activity in IIS/Exchange environments or signs of a targeted attack, get in touch. With network audits, IT security operations, and incident response, we help close gaps and improve detection.

Related services

If you want to assess your organization’s security posture or respond to a potential incident, our experts can help with the following services:

• Network Audit: Comprehensive security assessment and infrastructure review to uncover hidden weaknesses and recommend risk-reduction measures.
• IT Security Operations: Network monitoring, log analysis, and threat hunting to catch anomalies early and prevent attacks.
• Cyber Insurance: Financial protection and expert support in case of cyberattacks, data loss, or outages-minimizing business risk.
• Our Products: Modern security solutions (firewalls, EDR/XDR, email security) to strengthen your organization’s digital defenses.