Particle.news
Download on the App Store
4 ARTICLES
·
6h ago

Unit 42 Unmasks ‘Phantom Taurus,’ China-Linked Spy Group Using NET-STAR Against Government Web Servers

The report details custom .NET backdoors on IIS, providing indicators to help organizations hunt for ongoing intrusions.

Image
Image
Chinese APT Phantom Taurus Breached MS Exchange Servers for Years

Overview

  • Researchers say the previously undocumented actor has operated for roughly three years, compromising nearly ten high-value targets across the Middle East, Africa and Asia.
  • Targets include ministries of foreign affairs, embassies, telecoms and military-related networks, with operations timed to major diplomatic and security events.
  • Initial access frequently involves exploiting internet-facing IIS and Microsoft Exchange servers through known flaws such as ProxyLogon and ProxyShell.
  • The bespoke NET-STAR suite runs in memory on IIS via components including IIServerCore and two AssemblyExecuter variants, featuring AMSI and ETW bypasses plus timestomping to hinder detection.
  • Operations have expanded from email theft to scripted SQL Server data extraction executed via WMI, with searches observed for materials tied to countries such as Afghanistan and Pakistan, while infrastructure overlaps with groups like Mustang Panda and APT41 but the toolkit and playbook remain distinct.