A Chinese state-sponsored hacking group tracked as ‘Phantom Taurus’ has been targeting government and telecommunications organizations for espionage for more than two years, Palo Alto Networks reports.
Initially observed in 2023, the APT was only recently linked to Chinese hacking groups through shared infrastructure, as its tactics, techniques and procedures (TTPs) differ from those typically associated with threat actors operating out of China.
“These enable the group to conduct highly covert operations and maintain long-term access to critical targets,” says Palo Alto Networks.
The group, the cybersecurity firm explains, uses shared operational infrastructure exclusive to Chinese APTs, and targets high-value organizations (such as ministries of foreign affairs and embassies), in line with China’s economic and geopolitical interests.
What sets Phantom Taurus apart, however, is the use of a different set of TTPs, some unique to the group, such as its Specter and Net-Star malware families, and the Ntospy malware. Tools typically used by Chinese hackers, such as China Chopper, the Potato suite, and Impacket, are also part of its inventory.
The APT has been observed targeting email servers to exfiltrate messages of interest, as well as directly targeting databases, in attacks against organizations in Africa, the Middle East, and Asia.
In 2025, the group started using Net-Star, a .NET malware suite targeting IIS web servers, which consists of three web-based backdoors: IIServerCore (a fileless backdoor) and two AssemblyExecuter variants (.NET malware loaders).
The IIServerCore backdoor operates entirely in memory. It can receive and execute payloads and arguments, and can send the result to the command-and-control (C&C) server.
It supports built-in commands to perform file system operations, access databases, execute arbitrary code, manage web shells, evade and bypass security solutions, load payloads directly in memory, and encrypt communication with the C&C.
The first malware loader, AssemblyExecuter V1, can execute other .NET assemblies in memory, allowing the attackers to dynamically load and execute additional code post-compromise.
AssemblyExecuter V2 has the same core purpose, but features enhanced evasion capabilities, with dedicated methods for bypassing Windows’s Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) security mechanisms.
“We observed that the group takes an interest in diplomatic communications, defense-related intelligence and the operations of critical governmental ministries. The timing and scope of the group’s operations frequently coincide with major global events and regional security affairs,” Palo Alto Networks says.
Related: Cybersecurity Awareness Month 2025: Prioritizing Identity to Safeguard Critical Infrastructure
Related: Cyber Founder Recipe for Success: Clear Vision and Trusted Experts
Related: Leveraging Managed Services to Optimize Your Threat Intelligence Program During an Economic Downturn
Related: AI Companies Make Fresh Safety Promise at Seoul Summit, Nations Agree to Align Work on Risks
