Particle.news
Download on the App Store
3 ARTICLES
·
3h ago

Palo Alto Networks Identifies 'Phantom Taurus,' China-Aligned Espionage Group Targeting Governments

Researchers describe in-memory IIS backdoors with evasive TTPs that maintained access for nearly two years.

Image
Chinese APT Phantom Taurus Breached MS Exchange Servers for Years

Overview

  • Unit 42 reclassified a long-running intrusion cluster as Phantom Taurus and detailed a bespoke .NET malware suite called NET-STAR.
  • The group has focused on foreign ministries, embassies, diplomats, telecoms, and military-related systems in Africa, the Middle East, and Asia.
  • Intrusions often began by exploiting unpatched Exchange and IIS servers, including ProxyLogon and ProxyShell vulnerabilities, to reach sensitive communications.
  • Operations evolved from email harvesting to direct SQL Server data theft via WMI-executed batch scripts that export results and target country-specific material such as Afghanistan and Pakistan.
  • Investigators report almost 10 victims to date, continued activity in recent months, and infrastructure overlaps with AT27/Iron Taurus, APT41/Winnti, and Mustang Panda alongside unique tooling like IIServerCore and AssemblyExecuter with AMSI/ETW bypass and timestomping.