Phantom Taurus Deploys Net-Star Backdoors Across Africa

A Chinese state-sponsored threat actor called Phantom Taurus has been targeting government ministries, embassies, and telecommunications organizations across Africa, the Middle East, and Asia since at least June 2023. Unit 42 published detailed research this week exposing the group's custom NET-STAR malware suite and unusually aggressive operational tempo.

What sets Phantom Taurus apart: unlike most APTs that go dark for weeks or months after exposure to retool, this group resurfaces within hours or days. That speed suggests dedicated resources and operational confidence that few threat actors demonstrate.

What is Phantom Taurus?

Phantom Taurus (also tracked as CL-STA-0043 and TGR-STA-0043) is a previously undocumented Chinese nexus APT whose targeting patterns align with People's Republic of China economic and geopolitical interests. Unit 42 has been tracking the cluster since mid-2023 and elevated it to a named group after observing consistent TTPs and infrastructure.

The group's primary focus areas include:

• Ministries of foreign affairs
• Embassies and diplomatic missions
• Military operations
• Telecommunications infrastructure
• Geopolitical event monitoring

This targeting profile overlaps with other Chinese APTs but operates independently with unique tooling and infrastructure compartmentalization.

The NET-STAR Malware Suite

Phantom Taurus deploys three .NET-based IIS web backdoors that collectively form the NET-STAR suite:

IIServerCore: A fileless modular backdoor that operates entirely in memory within w3wp.exe processes. Supports in-memory execution of command-line arguments, arbitrary commands, and payloads without touching disk.

AssemblyExecuter V1: A .NET assembly loader enabling direct execution of other .NET assemblies in memory. Designed to deploy additional payloads while evading file-based detection.

AssemblyExecuter V2: Enhanced variant with AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows) bypass capabilities for heavily monitored environments.

The malware communicates over AES-encrypted channels using ECB mode with PKCS7 padding. Web shells use Base64-encoded embedded binaries with "STAR" delimiters in the payload structure.

Tactical Evolution

Unit 42 documented a tactical shift in early 2025. The group moved from primarily targeting Exchange server emails to stealing full databases of information via SQL Server compromise. A script called mssq.bat executes dynamic SQL queries targeting specific keywords and country names—a more comprehensive intelligence collection approach.

The group shares infrastructure with other Chinese APTs including Iron Taurus (APT27), Starchy Taurus (Winnti), and Stately Taurus (Mustang Panda), though it maintains operational separation. This infrastructure sharing is common among Chinese state-sponsored groups and complicates attribution efforts.

Additional tools in their arsenal include PlugX, Gh0st RAT, China Chopper, Impacket, Mimikatz, and Ladon—a mix of custom and shared tooling.

Detection and Hunting

Organizations in target sectors should monitor for:

• Suspicious in-memory assembly loading within w3wp.exe processes
• ASPX web shells with Base64-encoded embedded binaries
• SQL queries executed via WMI targeting sensitive keywords
• Timestomped IIS modules and ASPX files
• Network traffic to infrastructure previously linked to Chinese APT operations

Unit 42 notes that Cortex XDR's web shell protection module provides detection coverage for known NET-STAR variants.

Why This Matters

Phantom Taurus represents a mature, well-resourced espionage operation that shows no signs of slowing despite public exposure. The rapid return to operations after discovery suggests the group considers its mission important enough to absorb the OPSEC risks of continued activity.

For organizations in Africa, the Middle East, and Asia—particularly those involved in diplomatic or telecommunications work—this is an active and persistent threat. The fileless nature of NET-STAR makes detection challenging, and the group's willingness to immediately resume operations means there's no post-exposure breathing room.

For background on social engineering tactics these APTs commonly employ, see our guide on what is social engineering.