China-linked advanced persistent threat (APT) group Phantom Taurus has intensified espionage operations against government and telecommunications targets across Africa, the Middle East, and Asia, deploying a newly discovered .NET malware suite called NET-STAR.
First tracked by Unit 42 in June 2023 as cluster CL-STA-0043 and temporarily designated TGR-STA-0043 (Operation Diplomatic Specter) in May 2024, the group has now been formally mature as a distinct threat actor aligned with People’s Republic of China (PRC) state interests.
Over the past two and a half years, Phantom Taurus campaigns have consistently targeted ministries of foreign affairs, embassies, and entities involved in geopolitical events and military operations.
The actor’s victimology aligns with PRC strategic priorities, focusing on diplomatic communications, defense-related intelligence, and critical government functions in regions where China seeks influence and insight.
Distinctive Tactics, Techniques, and Procedures
While many Chinese APTs employ common tools such as China Chopper and the Potato suite, Phantom Taurus distinguishes itself through unique, custom-developed TTPs that enable highly covert, persistent operations.
After sustained telemetry collection and intelligence analysis, Unit 42 confirmed that Phantom Taurus shares some infrastructure with Iron Taurus (APT27), Starchy Taurus (Winnti), and Stately Taurus (Mustang Panda) but uses exclusive components not observed in other campaigns. This compartmentalization underscores a specialized operational segment within the broader Chinese nexus.
Unit 42’s attribution framework guided the evolution of CL-STA-0043 from a loosely defined activity cluster to the formally recognized APT group Phantom Taurus.
Through progressive classification—initial cluster observation in June 2023, temporary group designation in May 2024, and full attribution in 2025—researchers linked the actor’s persistent espionage campaigns, infrastructure overlaps, and rare toolsets to PRC objectives.
MSSQ.BAT and Database Exfiltration
In early 2025, Phantom Taurus shifted from an email-centric compromise approach to direct database targeting.
Using a custom script—mssq.bat—the group connects to SQL Server instances via stolen credentials, dynamically issues queries, and exports results to CSV files.
Execution is orchestrated through Windows Management Instrumentation (WMI), enabling remote, in-memory execution of the script within compromised environments.
NET-STAR: A .NET Malware Suite
A breakthrough in the investigation was the uncovering of NET-STAR, a previously undocumented malware suite designed to compromise Internet Information Services (IIS) web servers.
Named for “STAR” strings embedded in the malware’s PDB paths, NET-STAR comprises three .NET-based components:
- IIServerCore: A modular, fileless backdoor that executes in memory within the w3wp.exe IIS worker process. Delivered via an ASPX web shell (OutlookEN.aspx), it decrypts commands, loads payloads, and communicates over an encrypted command-and-control channel.
- AssemblyExecuter V1: A loader that accepts .NET assemblies as input, executes them in memory, and evades disk-based detection mechanisms, resulting in minimal antivirus flags.
- AssemblyExecuter V2: An advanced variant that embeds bypass routines for the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), allowing stealthy operation in heavily monitored environments.
Phantom Taurus leverages timestomping techniques to modify file timestamps on web shells and backdoor components, randomizing compilation times to evade forensic analysis.
IIServerCore also implements a changeLastModified command, enabling dynamic modification of file metadata to confuse detection tools.
Implications and Recommendations
Palo Alto Networks customers can leverage the following protections: Advanced WildFire, Advanced Threat Prevention, Cortex XDR, and XSIAM.
NET-STAR’s introduction marks a significant escalation in Chinese APT capabilities against internet-facing servers. Organizations operating IIS web services—and ministries, embassies, and telecommunications providers in high-interest regions—should:
- Implement robust monitoring of w3wp.exe memory operations and unusual ASPX file activities.
- Enforce least-privilege SQL accounts and rotate administrative credentials to thwart database exfiltration scripts like mssq.bat.
- Deploy Endpoint Detection and Response (EDR) solutions that inspect in-memory .NET execution and detect AMSI/ETW bypass attempts.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
