Executive Summary
A Chinese state-aligned advanced persistent threat group designated Phantom Taurus has been conducting long-term cyber espionage operations against government ministries, embassies, military organisations, and telecommunications providers across Africa, the Middle East, and Asia. Documented across a two-and-a-half-year observation window by Palo Alto Networks’ Unit 42 threat intelligence team, the group is characterised by surgical precision, exceptional operational security, and a custom malware suite — NET-STAR — that exploits Microsoft Internet Information Services (IIS) environments to achieve fileless, in-memory persistence.
Phantom Taurus distinguishes itself from other actors in the crowded Chinese APT ecosystem through techniques that are, in Unit 42’s assessment, sufficiently rare that only a handful of nation-state actors use comparable methods. The group’s primary objective is intelligence collection aligned directly with the People’s Republic of China’s strategic interests: diplomatic communications, defence-related information, and the internal workings of foreign ministries at key geopolitical junctures.
Defenders at foreign affairs ministries, embassies, and organisations involved in Belt and Road Initiative negotiations, regional security affairs, or diplomatic coordination with PRC counterparts should treat this actor as a credible and persistent threat.
Threat Actor Profile
Phantom Taurus sits firmly within what researchers call the Chinese APT nexus — a constellation of state-aligned groups sharing operational infrastructure, tooling, and tasking priorities. Unit 42 identified overlaps with the operational infrastructure of Iron Taurus (APT27), Starchy Taurus (Winnti/APT41), and Stately Taurus (Mustang Panda), confirming that Phantom Taurus operates from the same pool of Chinese government-directed cyber actors but represents a distinct operational cluster with its own custom capability set.
The group has been active since at least mid-2022, with Unit 42 tracking a continuous operational tempo across the observation period. Targets span government entities and telecommunications organisations primarily in:
- Sub-Saharan and North Africa — foreign ministries, embassies, and diplomatic missions
- Middle East — ministries of foreign affairs, military-affiliated organisations
- South and Southeast Asia — telecoms providers, government agencies involved in regional security
The timing and scope of Phantom Taurus operations frequently coincide with major global events and regional security affairs — a hallmark of intelligence-driven targeting rather than opportunistic compromise. When a senior diplomatic summit is imminent, Phantom Taurus is likely to be inside the relevant ministry’s email infrastructure already.
Attribution to China rests on several pillars: shared infrastructure with known PRC-nexus actors, the use of tools exclusively observed in Chinese APT operations, targeting patterns consistent with PRC collection priorities, and behavioural indicators that align with Chinese government working hours.
TTPs and Tradecraft
Phantom Taurus demonstrates a disciplined multi-stage intrusion methodology that prioritises stealth and long-term access over speed. The following describes its documented kill chain.
Initial Access: Exploiting Internet-Facing IIS Servers
The group’s preferred initial access vector is the exploitation of internet-facing vulnerabilities in Microsoft Internet Information Services (IIS) web servers. By targeting the web server layer rather than phishing individual users, Phantom Taurus bypasses email security controls and gains a foothold directly within server infrastructure. This is a deliberate choice: IIS-based footholds provide a stable, high-privilege entry point that is often poorly monitored relative to endpoint environments.
Once initial access is achieved, the group deploys the NET-STAR malware suite — a family of three web-based backdoors purpose-built for IIS environments.
The NET-STAR Malware Suite
NET-STAR consists of three distinct components, each serving a specific role:
IIServerCore is a fileless, modular backdoor that executes entirely in memory, leaving minimal forensic artefacts on disk. It supports in-memory execution of command-line arguments, arbitrary operating system commands, and additional payloads dropped by operators. The decision to operate entirely in-memory is a sophisticated anti-forensics choice that defeats most file-based detection mechanisms.
AssemblyExecuter V1 extends IIServerCore functionality, loading and executing additional .NET payloads entirely within memory. This enables operators to expand the capability footprint of a compromised system post-initial access without writing executables to disk.
AssemblyExecuter V2 is an enhanced iteration introducing bypass mechanisms for two critical Windows defensive capabilities: the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW). AMSI bypass prevents Windows Defender and compatible antivirus products from inspecting memory-resident scripts and payloads; ETW bypass blinds security monitoring tools that rely on kernel-level event tracing for behaviour detection. The 2025 update of V2 refined these bypass techniques, suggesting an active development programme responding to improved defender coverage.
Lateral Movement: WMI and Net Crawler
Once established on an IIS server, Phantom Taurus uses Windows Management Instrumentation (WMI) for remote code execution and lateral movement — a technique that abuses legitimate Windows infrastructure and generates minimal distinctive artefacts compared to offensive tooling. WMI-based execution allows the group to move laterally to adjacent systems without creating network connections or process lineage that security tools readily flag.
A custom tool designated Net Crawler provides additional lateral movement and credential harvesting capability. Net Crawler functions as a worm-like component performing credential dumping, Server Message Block (SMB) brute force against adjacent systems, and lateral movement via PsExec — the legitimate system administration utility commonly repurposed by threat actors.
Supporting Toolset
Beyond NET-STAR, Phantom Taurus deploys a broader arsenal including:
- China Chopper web shell — a widely-used, compact web shell for persistent server access
- Specter malware family — custom implants for post-compromise operations
- Ntospy — a credential-harvesting tool targeting Windows authentication
- Potato suite — privilege escalation tools used within Windows environments
The combination of off-the-shelf tools (China Chopper, Potato) with bespoke custom malware (NET-STAR, Specter) represents a mature operational approach: use known tooling where detection risk is acceptable, but employ custom capability at the most sensitive stages of intrusion.
Targeting and Victim Sectors
Phantom Taurus shows a disciplined focus on high-value intelligence targets rather than broad opportunistic compromise. The group’s documented targeting priorities include:
Ministries of Foreign Affairs — the highest-value target category, providing access to diplomatic cable traffic, negotiating positions, personnel information, and bilateral relationship intelligence.
Embassies and Diplomatic Missions — satellite offices that often have weaker security postures than parent ministries while still handling sensitive diplomatic communications. Embassy compromise can provide intelligence on both the host country and the represented nation.
Military-Affiliated Organisations — entities involved in defence procurement, joint exercises, or military-to-military relationships, consistent with PRC defence intelligence collection priorities.
Telecommunications Providers — telecom compromise provides persistent, passive access to communications metadata and sometimes content, complementing the intelligence gathered from government ministries.
The geographic focus on Africa, the Middle East, and Asia reflects China’s strategic priorities in these regions: Belt and Road Initiative negotiations, energy security relationships, and the monitoring of US and Western diplomatic activity in regions contested for influence.
Historical Incidents and Impact
Unit 42’s research documents Phantom Taurus activity spanning approximately two and a half years from mid-2022 through the time of disclosure in late 2025. The sustained operational tempo across this period without public attribution indicates a high degree of operational security — the group was effective at maintaining access without triggering detections that would prompt incident response.
Specific incidents highlighted in Unit 42’s research include:
Sustained government ministry access — multiple African and Middle Eastern foreign ministries were compromised for extended periods, with Phantom Taurus maintaining persistent footholds that allowed ongoing intelligence collection through diplomatic cycles and sensitive negotiations.
Embassy infrastructure targeting — diplomatic missions in multiple regions were compromised, with the IIS-based entry point allowing access to web-facing embassy systems that often feed into broader government infrastructure.
Telecom provider intrusions — telecommunications organisations in target regions were compromised, consistent with the group’s interest in communications intelligence to supplement its ministry-level access.
The long dwell time observed across these incidents — months rather than days — reflects a classic espionage mandate: remain undetected, collect continuously, and avoid any action that would alert the target or trigger diplomatic incident.
Defensive Implications
Phantom Taurus presents a sophisticated and patient adversary whose techniques are specifically designed to defeat common defensive controls. Organisations in the targeted sectors should consider the following mitigations.
IIS Security Hardening is the immediate priority given the group’s preference for IIS-based initial access. This includes removing unnecessary IIS modules and features, implementing web application firewall (WAF) rules, ensuring patch management for IIS and the underlying Windows Server stack, and conducting regular review of IIS logs for unusual requests or web shell indicators.
Memory-Based Detection Capability is essential to counter NET-STAR’s fileless architecture. Endpoint detection and response (EDR) solutions with memory scanning and behaviour-based detection should be deployed on all server infrastructure — not just workstations. File-based antivirus alone will not detect IIServerCore or AssemblyExecuter.
AMSI and ETW Monitoring — the fact that Phantom Taurus specifically developed AMSI and ETW bypass capabilities in AssemblyExecuter V2 indicates these controls were successfully blocking earlier versions. Ensure AMSI is enabled and operational across the environment, and implement monitoring for common AMSI bypass techniques.
WMI Abuse Detection — implement Sysmon or equivalent endpoint telemetry to capture WMI command execution, particularly remote WMI calls from unexpected source systems. Lateral movement via WMI is difficult to prevent outright but is detectable with proper logging.
Threat Intelligence Integration — share Phantom Taurus indicators of compromise (IoCs) through sector-specific ISACs, particularly for foreign affairs ministries and diplomatic mission operators. The group’s shared infrastructure with APT27, APT41, and Mustang Panda means indicators attributed to those actors may overlap.
Diplomatic and Government Sector Awareness — personnel involved in sensitive diplomatic negotiations, particularly with or about China’s interests in Africa, the Middle East, and Asia, should be treated as elevated-risk individuals warranting enhanced security monitoring and regular security awareness reinforcement.
Phantom Taurus represents the continued evolution of Chinese state-sponsored cyber espionage: technically sophisticated, operationally patient, and precisely aligned with strategic intelligence collection requirements. Its emergence as a distinct actor — rather than an evolution of known groups — signals continued investment by the PRC in diversified cyber capability development.