Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite
Essential information
- Published
- 30/09/2025 17:21
- Modified
- 30/09/2025 20:12
- Tags
- 2025-09-30 africa asia assemblyexecuter china chopper chinese apt database targeting espionage gh0st rat government iis backdoor iiservercore middle east net-star ntospy plugx specter telecommunications
- Related entities
- 4 observables, 1 intrusion sets (apt), 16 techniques (mitre), 4 others
Description
Phantom Taurus, a newly identified Chinese state-sponsored threat actor, has been conducting espionage operations targeting government and telecommunications organizations across Africa, the Middle East, and Asia. The group's primary focus includes ministries of foreign affairs, embassies, and military operations, with the objective of gathering sensitive information. Phantom Taurus employs distinctive tactics, techniques, and procedures, including a new malware suite called NET-STAR. This suite consists of three web-based backdoors designed to target Internet Information Services (IIS) web servers. The group has recently shifted from targeting emails to directly accessing databases, demonstrating their ability to adapt and evolve their methods. Phantom Taurus' activities align with Chinese strategic interests, and their infrastructure overlaps with other known Chinese APT groups.