Skip to main content
Mallory
Back to threat actors
China🇨🇳 CN14 malware familiesExploits CVEs in the wild

Phantom Taurus

Also known asphantom_taurus

Phantom Taurus is a previously undocumented China-aligned, PRC state-interest-aligned nation-state espionage actor identified by Palo Alto Networks Unit 42. Unit 42 reported the group has operated for roughly two and a half years, targeting government and telecommunications organizations across Africa, the Middle East, and Asia. Reported targeting includes ministries of foreign affairs, embassies, diplomats, foreign ministries, and entities connected to geopolitical events, military operations, diplomatic communications, defense-related intelligence, and critical governmental ministry operations. The group’s primary objective is espionage and long-term intelligence collection of sensitive, non-public information. Unit 42 tracked this activity previously as CL-STA-0043, later promoted it to temporary group TGR-STA-0043 under the campaign name Operation Diplomatic Specter, and then elevated it to the distinct threat group Phantom Taurus. Unit 42 assessed Phantom Taurus uses a shared Chinese APT operational infrastructure ecosystem also associated with Iron Taurus (APT27), Starchy Taurus (Winnti), and Stately Taurus (Mustang Panda), while also maintaining compartmentalized infrastructure components not observed in other actors’ operations. Observed tooling includes China Chopper, the Potato suite, and Impacket, as well as customized tooling including the Specter malware family, Ntospy, and the NET-STAR malware suite. NET-STAR is a .NET malware suite targeting IIS web servers and includes three web-based backdoors: IIServerCore, AssemblyExecuter v1, and AssemblyExecuter v2. Reported characteristics include fileless and in-memory execution within w3wp.exe, encrypted C2, cookie-based session handling, loading via the OutlookEN.aspx web shell, timestomping, and AMSI and ETW bypass capabilities in AssemblyExecuter v2. Unit 42 reported Phantom Taurus initially focused on compromising Microsoft Exchange and stealing targeted emails, then evolved in early 2025 toward direct database theft. In that shift, the group used a batch script named mssq.bat, executed remotely via WMI, to authenticate to SQL Server using previously obtained credentials, run operator-supplied queries, and export results to CSV for exfiltration. Reported searches included information related to Afghanistan and Pakistan. The group is described as stealthy, persistent, and adaptive, with operations often coinciding with major global events and regional security affairs.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Software & Services
  • Telecommunication Services
  • Government & Administration

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics9 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1190
Exploit Public-Facing Application
T1566
Phishing
TA0002
Execution
3 techniques
T1047
Windows Management Instrumentation
T1059
Command and Scripting Interpreter
T1106
Native API
TA0003
Persistence
1 technique
T1505
Server Software Component
T1505.003×2
Web Shell
TA0005
Stealth
1 technique
T1620
Reflective Code Loading
TA0009
Collection
1 technique
T1213
Data from Information Repositories
ARSENAL

Associated malware families

14 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
NET-STARPhantom Taurus uses multiple pieces of malware, including the newly identified NET-STAR malware suite, which consists of three distinct web-based backdoors.9May 25, 2026
China Chopper“The group uses common Chinese nation-state hacking tools such as the China Chopper web shell...”6Mar 18, 2026
Impacket“The group uses common Chinese nation-state hacking tools such as the China Chopper web shell, Potato suite and Impacket...”4Mar 18, 2026
NtospyThese include the Specter malware family, Ntospy and NET-STAR, a newly identified malware suite.4Mar 18, 2026
SpecterThese include the Specter malware family, Ntospy and NET-STAR, a newly identified malware suite.4Mar 18, 2026

9 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2021-26855ProxyLogon SSRF in Microsoft Exchange ServerIn the wildEvidence1

"...prior intrusions have weaponized vulnerable on-premises Internet Information Services (IIS) and Microsoft Exchange servers, abusing flaws like ProxyLogon and ProxyShell, to infiltrate target networks."

CVE-2021-34473ProxyShell pre-auth SSRF/authentication bypass in Microsoft Exchange AutodiscoverIn the wildEvidence1

"...prior intrusions have weaponized vulnerable on-premises Internet Information Services (IIS) and Microsoft Exchange servers, abusing flaws like ProxyLogon and ProxyShell, to infiltrate target networks."

IOCS

Observables

4 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

4 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app
the hacker newsNews
Oct 6, 2025
⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

Phantom Taurus is a Chinese nation-state threat actor conducting cyber-espionage campaigns targeting high-value government and military entities in Africa, the Middle East, and Asia, using custom toolkits.

Read more
securityaffairsNews
Oct 5, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 65

Named APT/activity cluster described as a China-linked nexus, associated with discovery/use of the NET-STAR malware suite.

Read more
securityaffairsNews
Oct 5, 2025
Security Affairs newsletter Round 544 by Pierluigi Paganini – INTERNATIONAL EDITION

Phantom Taurus, a China-linked APT, is conducting espionage campaigns against key sectors using the Net-Star malware suite.

Read more
ctoatncsc substackNews
Oct 4, 2025
CTO at NCSC Summary: week ending October 5th

China-aligned espionage activity targeting government and telecom organizations across Africa, the Middle East, and Asia; uses shared China APT infrastructure with apparent operational compartmentalization and a mix of commodity and custom tooling.

Read more
+11 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal14

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables4

Domains, IPs, and hashes tied to this actor, refreshed continuously.