Particle.news
Download on the App Store
7 ARTICLES
·
last wk.

Unit 42 Names 'Phantom Taurus,' China-Aligned Spy Group Targeting Governments Across Africa, the Middle East and Asia

Researchers say the covert intrusions support Chinese strategic intelligence goals using bespoke .NET malware on internet-facing servers.

Image
Image
Chinese APT Phantom Taurus Breached MS Exchange Servers for Years

Overview

  • Unit 42 elevated a long-tracked activity cluster to a distinct group, Phantom Taurus, reporting recent operations and almost 10 victims of geopolitical importance across three regions.
  • The group deploys a custom .NET toolkit called NET-STAR on IIS servers, including the fileless IIServerCore backdoor and AssemblyExecuter V1/V2 loaders with AMSI and ETW bypasses for in-memory execution.
  • Operators shifted from email theft on Microsoft Exchange to direct database collection by executing an mssq.bat script via WMI to query SQL Server data and export results to CSV, including searches tied to Afghanistan and Pakistan.
  • Intrusions commonly begin by exploiting unpatched internet-facing services such as IIS and Exchange, followed by low-noise persistence using living-off-the-land techniques like WMI.
  • Palo Alto Networks notes infrastructure overlap with groups such as APT27, APT41 and Mustang Panda but describes a distinct playbook, and it has published indicators of compromise while cautioning that more victims are likely to emerge.