Particle.news
Download on the App Store
6 ARTICLES
·
3h ago

Unit 42 Names ‘Phantom Taurus,’ Unveils NET-STAR Malware in Ongoing China-Aligned Spy Campaign

Researchers attribute a long-running diplomatic espionage campaign to a distinct China-aligned actor.

Image
Image
Chinese APT Phantom Taurus Breached MS Exchange Servers for Years

Overview

  • Phantom Taurus has targeted ministries of foreign affairs, embassies, diplomats and telecom networks across Africa, the Middle East and Asia to collect sensitive, timely intelligence around major political and security events.
  • Unit 42 reports the group remains active with activity observed in multiple regions in recent months, nearly 10 known victims to date, and an expectation that more will be identified as newly published indicators are applied.
  • Initial access has largely come through exploiting internet-facing IIS and Microsoft Exchange servers using known flaws such as ProxyLogon and ProxyShell, followed by stealthy living-off-the-land techniques.
  • The newly disclosed NET-STAR suite targets IIS servers with a fileless IIServerCore backdoor and two AssemblyExecuter loaders, including a 2025 variant that bypasses AMSI and ETW and supports anti-forensic timestomping.
  • Operations have shifted from email theft to direct SQL Server data extraction using a WMI-executed batch script that authenticates, runs dynamic queries, exports results to CSV, and has searched for items related to countries such as Afghanistan and Pakistan.