Phantom Taurus: Chinese APT Deploys NET-STAR Malware Suite

Palo Alto Networks' Unit 42 has documented a previously unknown Chinese nation-state actor that has quietly compromised government ministries, embassies, and telecommunications providers across three continents for over two years.

The group, tracked as Phantom Taurus, distinguishes itself through surgical targeting, extended persistence, and a custom malware suite called NET-STAR designed specifically to backdoor IIS web servers. The research, published by Unit 42, provides the first comprehensive look at an APT that prioritizes stealth over scale.

Who Phantom Taurus Targets

The group focuses on intelligence collection aligned with Chinese strategic interests:

• Ministries of foreign affairs and diplomatic missions
• Embassies across Africa, the Middle East, and Asia
• Telecommunications providers in target regions
• Military operations and geopolitical event monitoring

Geographic focus centers on regions where China has significant economic and political investments—Africa and the Middle East feature prominently, with additional activity across South and Central Asia.

The NET-STAR Malware Suite

Phantom Taurus operates primarily through NET-STAR, a .NET malware framework designed to compromise IIS web servers. The suite consists of three components:

IIServerCore serves as the main backdoor. It operates entirely in memory within the w3wp.exe process, leaving minimal forensic traces. Delivered via an ASPX web shell named OutlookEN.aspx, the backdoor supports 18 distinct commands including file operations, SQL database access, arbitrary code execution, and web shell management. It also includes AMSI bypass functionality to evade endpoint detection.

AssemblyExecuter V1 loads and executes .NET assemblies directly in memory. At the time of Unit 42's analysis, VirusTotal showed minimal detection—the binary flew under most security vendors' radar.

AssemblyExecuter V2 adds enhanced evasion capabilities, including dynamic bypass techniques for both AMSI and ETW that adapt based on the target environment.

Evolution of Tactics

Unit 42 tracked Phantom Taurus evolving from activity cluster CL-STA-0043, first documented in June 2023, through the temporary designation Operation Diplomatic Specter before formal attribution in 2025.

A notable shift occurred in early 2025: the group moved from targeted email theft to direct database exfiltration. Researchers observed a batch script (mssq.bat) that connects to SQL Server with administrator credentials, executes dynamic queries, and exports results to CSV files. Query parameters referenced specific countries—Afghanistan and Pakistan appeared in the documented samples.

This evolution suggests growing operational maturity and potentially expanding collection requirements from their sponsors.

Shared Infrastructure, Distinct Operations

Phantom Taurus shares operational infrastructure with other known Chinese APTs, including Iron Taurus (APT27), Starchy Taurus (Winnti), and Stately Taurus (Mustang Panda). However, the group maintains compartmentalized, actor-specific components that distinguish its operations.

The overlap with Mustang Panda's recent TONESHELL campaigns suggests possible coordination or shared resources within Chinese state-sponsored cyber operations, though Unit 42 stops short of claiming organizational links.

Detection Challenges

Phantom Taurus presents significant detection challenges:

1. Fileless execution keeps primary malware in memory
2. Legitimate process injection hides within w3wp.exe
3. Custom tooling avoids signature-based detection
4. AMSI/ETW bypasses blind endpoint security tools

The group also employs timestomping to modify file metadata and uses common tools like China Chopper, the Potato privilege escalation suite, and Impacket—blending malicious activity with techniques used by penetration testers worldwide.

Indicators of Compromise

Unit 42 published SHA256 hashes for key NET-STAR components:

Component	SHA256
IIServerCore	eeed5530fa1cdeb69398dc058aaa01160eab15d4dcdcd6cb841240987db284dc
AssemblyExecuter V1	3e55bf8ecaeec65871e6fca4cb2d4ff2586f83a20c12977858348492d2d0dec4
AssemblyExecuter V2	afcb6289a4ef48bf23bab16c0266f765fab8353d5e1b673bd6e39b315f83676e

Organizations running IIS servers in targeted sectors should hunt for these hashes and audit for OutlookEN.aspx or similar web shells in web-accessible directories.

Why This Matters

Phantom Taurus represents the operational maturity of Chinese cyber espionage. The group's methodical approach—custom tooling, in-memory execution, careful target selection—reflects lessons learned from years of APT operations where noisier tactics led to exposure and attribution.

For defenders in government, diplomatic, and telecommunications sectors across Africa, the Middle East, and Asia, this disclosure provides concrete IOCs and TTPs to hunt for. The shift toward database theft rather than email access also signals that organizations should extend monitoring beyond mail servers to include database activity and large data exports.

The overlap with other Chinese APTs suggests this is one node in a broader state-sponsored ecosystem. Understanding Phantom Taurus helps map that ecosystem, but the more uncomfortable truth is that similar groups likely remain undocumented, operating with equal sophistication in sectors and regions not yet examined by threat researchers.