A Chinese language state-sponsored hacking group tracked as ‘Phantom Taurus’ has been focusing on authorities and telecommunications organizations for espionage for greater than two years, Palo Alto Networks reviews.
Initially noticed in 2023, the APT was solely not too long ago linked to Chinese language hacking teams via shared infrastructure, as its techniques, methods and procedures (TTPs) differ from these usually related to menace actors working out of China.
“These allow the group to conduct extremely covert operations and keep long-term entry to essential targets,” says Palo Alto Networks.
The group, the cybersecurity agency explains, makes use of shared operational infrastructure unique to Chinese language APTs, and targets high-value organizations (reminiscent of ministries of international affairs and embassies), consistent with China’s financial and geopolitical pursuits.
What units Phantom Taurus aside, nevertheless, is the usage of a unique set of TTPs, some distinctive to the group, reminiscent of its Specter and Web-Star malware households, and the Ntospy malware. Instruments usually utilized by Chinese language hackers, reminiscent of China Chopper, the Potato suite, and Impacket, are additionally a part of its stock.
The APT has been noticed focusing on e mail servers to exfiltrate messages of curiosity, in addition to straight focusing on databases, in assaults towards organizations in Africa, the Center East, and Asia.
In 2025, the group began utilizing Web-Star, a .NET malware suite focusing on IIS internet servers, which consists of three web-based backdoors: IIServerCore (a fileless backdoor) and two AssemblyExecuter variants (.NET malware loaders).
The IIServerCore backdoor operates fully in reminiscence. It could possibly obtain and execute payloads and arguments, and might ship the end result to the command-and-control (C&C) server.Commercial. Scroll to proceed studying.
It helps built-in instructions to carry out file system operations, entry databases, execute arbitrary code, handle internet shells, evade and bypass safety options, load payloads straight in reminiscence, and encrypt communication with the C&C.
The primary malware loader, AssemblyExecuter V1, can execute different .NET assemblies in reminiscence, permitting the attackers to dynamically load and execute extra code post-compromise.
AssemblyExecuter V2 has the identical core objective, however options enhanced evasion capabilities, with devoted strategies for bypassing Home windows’s Antimalware Scan Interface (AMSI) and Occasion Tracing for Home windows (ETW) safety mechanisms.
“We noticed that the group takes an curiosity in diplomatic communications, defense-related intelligence and the operations of essential governmental ministries. The timing and scope of the group’s operations ceaselessly coincide with main world occasions and regional safety affairs,” Palo Alto Networks says.
Associated: Cybersecurity Consciousness Month 2025: Prioritizing Identification to Safeguard Important Infrastructure
Associated: Cyber Founder Recipe for Success: Clear Imaginative and prescient and Trusted Consultants
Associated: Leveraging Managed Providers to Optimize Your Menace Intelligence Program Throughout an Financial Downturn
Associated: AI Corporations Make Contemporary Security Promise at Seoul Summit, Nations Conform to Align Work on Dangers
