NET-STAR
NET-STAR is a previously undocumented .NET malware suite designed to target Microsoft Internet Information Services (IIS) web servers. It has been attributed in reporting to the China-aligned espionage actor Phantom Taurus, which has used it in campaigns against government and telecommunications organizations across Africa, the Middle East, and Asia, with targeting focused on ministries of foreign affairs, embassies, diplomatic communications, defense-related intelligence, and other high-value government operations.
The suite consists of three distinct web-based backdoors: IIServerCore, AssemblyExecuter v1, and AssemblyExecuter v2. IIServerCore is described as a fileless modular backdoor that runs entirely in memory inside the IIS worker process w3wp.exe. It is loaded by an ASPX web shell named OutlookEN.aspx containing an embedded Base64-compressed IIServerCore binary. Reported capabilities include encrypted AES-based command-and-control, cookie-based session handling, in-memory loading of Base64-encoded .NET assemblies, arbitrary command and payload execution, file operations, database access including execution of SQL commands, web shell management, and security evasion. AssemblyExecuter v1 and v2 are in-memory .NET loaders used to execute arbitrary .NET assemblies via Assembly.Load() without writing them to disk; AssemblyExecuter v2 additionally includes AMSI and ETW bypass capabilities.
NET-STAR emphasizes stealth and anti-forensics. Reporting states Phantom Taurus timestomped the OutlookEN.aspx web shell and NET-STAR components and altered compilation times to random future dates. IIServerCore includes a command named changeLastModified, indicating active timestomping capability. The malware is described as difficult to detect because of its memory-resident, fileless design and its use of evasion features intended to impair security monitoring.
High-confidence indicators mentioned in the content include the following SHA-256 hashes associated with NET-STAR components: ServerCore.dll eeed5530fa1cdeb69398dc058aaa01160eab15d4dcdcd6cb841240987db284dc; ExecuteAssembly.dll variants 3e55bf8ecaeec65871e6fca4cb2d4ff2586f83a20c12977858348492d2d0dec4, afcb6289a4ef48bf23bab16c0266f765fab8353d5e1b673bd6e39b315f83676e, and b76e243cf1886bd0e2357cbc7e1d2812c2c0ecc5068e61d681e0d5cff5b8e038.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"...a never-before-seen bespoke malware suite dubbed NET-STAR. Developed in .NET, the program is designed to target Internet Information Services (IIS) web servers."
"...a never-before-seen bespoke malware suite dubbed NET-STAR. Developed in .NET, the program is designed to target Internet Information Services (IIS) web servers."
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Phantom Taurus uses multiple pieces of malware, including the newly identified NET-STAR malware suite, which consists of three distinct web-based backdoors.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniquesThese backdoors support in-memory execution of command-line arguments, arbitrary commands and payloads...
...and the loading and execution of .NET payloads with evasive capabilities designed to avoid detection in more heavily monitored environments...
Persistence
1 techniquePhantom Taurus uses multiple pieces of malware, including the newly identified NET-STAR malware suite, which consists of three distinct web-based backdoors.
Stealth
1 techniqueThese backdoors support in-memory execution of command-line arguments, arbitrary commands and payloads...
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom-built spyware toolkit used by a Chinese nation-state actor for cyber-espionage against government and high-value targets, enabling stealthy and persistent access.
Referenced as a malware suite associated with a China-nexus APT cluster ('Phantom Taurus').
Malware suite used by the China-linked APT group Phantom Taurus for espionage operations targeting key sectors.
Customized malware/tool suite used by the Phantom Taurus espionage actor.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.