← All Threat Actors
Phantom Taurus
Chinese state-aligned APT · Espionage / diplomatic intelligence collection
Reports 1
Active Since 2023
Last Reported 22 May 2026
Sectors Targeted communications, critical-infrastructure
Tactics, Techniques & Procedures (TTPs)
- NET-STAR fileless malware suite — deployed via IIS ISAPI filter abuse, no files written to disk
- In-memory execution with persistence surviving IIS restarts without on-disk artefacts
- Targeting of foreign ministry intranet portals and embassy web infrastructure
- Infrastructure overlaps with APT27, Winnti, and Mustang Panda
- Exceptional operational security — minimal forensic footprint across multi-year campaigns
- Custom loader with anti-analysis and environment fingerprinting capabilities
Known Targets
Ministries of foreign affairs (Africa, Middle East, Asia)Embassies and diplomatic missionsTelecommunications providersMilitary organisations and defence ministries
Analyst Notes
Disclosed by Palo Alto Networks Unit 42 in September 2025. Phantom Taurus is distinguished by the NET-STAR fileless malware suite, which exploits IIS ISAPI filters for in-memory persistence — a technique rarely seen outside the most sophisticated nation-state operations. Infrastructure overlaps with APT27, Winnti, and Mustang Panda suggest relationships within the Chinese contractor ecosystem, though Phantom Taurus is treated as a distinct intrusion cluster. Targeting is tightly focused on diplomatic intelligence of direct value to PRC foreign policy objectives.
Also Known As
NET-STAR cluster