Researchers at Palo Alto Networks say a Chinese-linked cyberespionage group has been targeting foreign ministries, embassies, and military-related communications by breaking into Microsoft Exchange email servers.
The group, named Phantom Taurus by the company’s threat intelligence team, has been tracked for nearly three years. Researchers say the hackers gained access to Exchange systems and specifically searched for communications connected to embassies, military operations, and diplomatic events.
Unit 42 links Phantom Taurus to Chinese state-backed hacking groups, pointing to infrastructure overlaps with well-known teams such as Mustang Panda and Winnti.
Targeting Diplomats For Sensitive Data
Unit 42 reported that Phantom Taurus’ operations focus heavily on ministries of foreign affairs, embassies, and organizations with access to defense and geopolitical intelligence. Investigators noted that many of the breaches took place during or just before major global events or regional military developments.
The group has also targeted regions including Afghanistan, Pakistan and countries in the Middle East, which remain areas of strategic interest to Beijing. Palo Alto Networks did not disclose which governments were affected but said the campaign reflects a broader pattern of long-term espionage against high-value targets.
Different Tactics
Researchers say Phantom Taurus operates differently from other Chinese APT groups. The attackers rely on custom tools and techniques that allow them to evade detection for long periods of time.
Phantom Taurus also changes its approach quickly when needed, which makes it harder for researchers to track. The group’s goal is to maintain quiet access to sensitive systems, sometimes for months, while continuing to collect intelligence.
According to Palo Alto’s technical analysis, other than targeting Exchange servers for email data, the group has recently expanded to direct database collection. Researchers documented the use of custom scripts that connect to SQL databases, run dynamic queries, and export results.
NET-STAR Malware
Unit 42 also identified a previously unknown malware suite named NET-STAR, built to compromise Microsoft Internet Information Services (IIS) servers. NET-STAR uses a fileless backdoor called IIServerCore and memory-resident loaders that run directly inside the IIS process, so activity stays in RAM rather than on disk, making it much harder to detect.
Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, said operations like this highlight a challenge for defenders. “The abuse and intelligence apparatus operates with a slightly different set of operating priorities than that of the standard detection and response teams operating in the security operations center,” Ford said.
He explained that while traditional response teams aim to remove intruders as quickly as possible, intelligence groups sometimes keep monitoring an attacker to better understand their objectives, tools, and techniques. In certain cases, law enforcement or government partners may also request extended monitoring before action is taken.
