Phantom Taurus: New Chinese APT Cyber Espionage Group

October 11, 2025

Threat Actor Profile

Phantom Taurus is a Chinese APT group whose operations align with the interests of the People’s Republic of China. The group is characterized by its focus on high-value espionage targets, including ministries of foreign affairs, embassies, military, and telecom organizations in Africa, the Middle East, and Asia. The group’s motivation centers on intelligence collection around major geopolitical events and maintaining persistent access to sensitive networks. Phantom Taurus stands out for its custom malware, rare TTPs, and infrastructure overlap with other Chinese APTs, but maintains a unique operational playbook.

Infrastructure Mapping

Phantom Taurus maintains robust, compartmentalized infrastructure, primarily leveraging Chinese cloud services. The group uses Huawei Public Cloud Service in Shanghai, China, with the primary IP node 123.60.148.239 hosting key assets and associated with the domain netstar.cn. Web services run OpenResty on ports 80 (HTTP), 443 (HTTPS), and 6443, with a valid TLS certificate for mp.netstar.cn (TrustAsia DV TLS RSA CA 2025, expires 2025-12-24). Associated domains include netstar.cn, phantomtaurus.cn, and several subdomains. The infrastructure is designed for operational security, supporting persistent, stealthy operations and sharing resources with other Chinese APTs such as APT27, Winnti, and Mustang Panda.

Malware & Tooling

Phantom Taurus employs a sophisticated, custom-built malware suite and supporting tools:

NET-STAR Malware Suite: .NET-based, fileless, in-memory execution targeting IIS web servers.
- IIServerCore: Modular backdoor, operates in IIS memory, supports encrypted C2, arbitrary command execution.
- AssemblyExecuter V1/V2: Loaders for .NET payloads; V2 includes AMSI and ETW bypass.
Net Crawler: Worm-like component for credential dumping, SMB brute force, lateral movement via PsExec.
TunnelSpecter & SweetSpecter: Backdoors for email exfiltration from Exchange servers.
Other Malware: Specter malware, Agent Racoon, NtoSpy, Gh0st RAT, China Chopper.
Tools: Impacket, Yasso, Samba SMBClient, Windows-native utilities.
Key IOC: SHA256 hash for IIServerCore (ServerCore.dll): eeed5530fa1cdeb69398dc058aaa01160eab15d4dcdcd6cb841240987db284dc.

The NET-STAR suite and its components are the technical backbone of Phantom Taurus campaigns, enabling persistent, stealthy access to targeted infrastructure and demonstrating advanced evasion techniques such as AMSI and ETW bypass, encryption, and timestomping.

Tactics, Techniques, and Procedures (TTPs)

Phantom Taurus’s operations map to the following MITRE ATT&CK tactics and techniques:

Grouped Threat Actor TTPs

Tactic	Technique Name	Technique ID	Description / Example
Initial Access	Exploit Public-Facing Application	T1190	Exploiting vulnerabilities in internet-facing servers (IIS, Exchange, SQL)
Initial Access	Phishing: Spearphishing Attachment	T1566.001	Targeted phishing emails with malicious attachments (less common for this group)
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	Fileless execution of .NET payloads and VBScript implants via PowerShell
Execution	User Execution	T1204	Malware requiring user interaction to execute
Persistence	Web Shell	T1505.003	Deploying ASPX web shells and in-memory VBScript implants for long-term access
Defense Evasion	Indicator Removal on Host: Timestomp	T1070.006	Modifying file timestamps to evade forensic analysis
	Impair Defenses: Disable or Modify Tools	T1562.001	Bypassing or disabling security tools (e.g., AMSI bypass)
	Impair Defenses: Disable Windows Event Logging	T1562.002	Disabling or bypassing Windows Event Logging (ETW bypass)
Credential Access	OS Credential Dumping	T1003	Dumping credentials from Windows systems
Credential Access	Brute Force: SMB/Windows Admin Shares	T1110.003	Brute-forcing SMB credentials for lateral movement
Lateral Movement	Remote Services: SMB/Windows Admin Shares	T1021.002	Using SMB for lateral movement
Lateral Movement	Remote Services: PsExec	T1077	Using PsExec for remote code execution and lateral movement
Collection	Data from Information Repositories	T1213	Querying and exporting SQL databases and mailboxes
Collection	Email Collection	T1114	Stealing emails from Exchange servers using custom backdoors
Command and Control	Encrypted Channel	T1041	Establishing encrypted C2 sessions via IIServerCore backdoor
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	Using HTTP/HTTPS for C2 communications
Exfiltration	Exfiltration Over C2 Channel	T1041	Exporting sensitive data over encrypted C2 channels

‍

Phantom Taurus prefers exploiting internet-facing vulnerabilities and deploying fileless, in-memory malware for stealth. The group’s operational playbook is distinguished by its precision and persistence, with a focus on high-value targets and advanced evasion methods.

Indicators of Compromise (IOCs)

File Hash: eeed5530fa1cdeb69398dc058aaa01160eab15d4dcdcd6cb841240987db284dc (IIServerCore)
Domains: netstar.cn, phantomtaurus.cn, plus subdomains
IP Address: 123.60.148.239
SSL Certificate: TrustAsia DV TLS RSA CA 2025 for mp.netstar.cn (expires 2025-12-24)

These indicators should be integrated into detection and response workflows for organizations at risk.

Contextual Intelligence & Correlations

Phantom Taurus shares infrastructure and operational overlap with other Chinese APTs (APT27, Winnti, Mustang Panda), but maintains a distinct malware suite and TTPs. The NET-STAR suite and associated backdoors are not observed in other known Chinese APT campaigns. The group’s activity is timed to coincide with major geopolitical events, indicating strategic intelligence objectives.

Detection & Response Recommendations

Monitor for IOCs: Integrate file hashes, domains, and IPs into SIEM and EDR solutions.
Harden Internet-Facing Servers: Patch IIS, Exchange, SQL, and other public-facing services promptly.
Detect Fileless Activity: Use behavioral analytics to spot in-memory execution and web shell activity.
Monitor for AMSI/ETW Bypass: Look for signs of security tool impairment and event logging disablement.
Review Credential Use: Audit for unusual SMB, PsExec, and admin credential usage.
Network Segmentation: Limit lateral movement opportunities and monitor for encrypted outbound C2 traffic.

Conclusion

Phantom Taurus represents a significant evolution in Chinese APT tradecraft, combining advanced malware, stealthy operational techniques, and cloud-based infrastructure to conduct persistent espionage against high-value targets. The group’s activities are well-documented through technical indicators, infrastructure mapping, and contextual intelligence, enabling effective detection and response. Organizations in government and telecom sectors across Africa, the Middle East, and Asia should prioritize monitoring for the identified IOCs and TTPs.

All findings are grounded in direct evidence from authoritative threat intelligence sources and technical analysis.

References

‍

Phantom Taurus – Threat Intelligence Report