Chinese APT ‘Phantom Taurus’ Deploys Net-Star Malware in Global Attacks
▼ Summary
– Phantom Taurus is a Chinese state-sponsored hacking group that has targeted government and telecommunications organizations for espionage for over two years.
– The group uses shared infrastructure exclusive to Chinese APTs but employs distinct tactics, techniques, and procedures, including unique malware families like Specter, Net-Star, and Ntospy.
– Its operations focus on high-value targets such as ministries of foreign affairs and embassies, aligning with China’s economic and geopolitical interests in Africa, the Middle East, and Asia.
– In 2025, Phantom Taurus introduced Net-Star, a .NET malware suite with web-based backdoors like IIServerCore and AssemblyExecuter variants that enable fileless execution and evasion of security mechanisms.
– The group targets diplomatic communications, defense intelligence, and critical government ministries, often timing its operations to coincide with major global events and regional security affairs.
A sophisticated cyber espionage campaign linked to a Chinese state-sponsored hacking group known as ‘Phantom Taurus’ has been systematically targeting government bodies and telecommunications providers worldwide for over two years, according to a recent report from Palo Alto Networks. Although first identified in 2023, researchers only recently connected this advanced persistent threat (APT) to Chinese operations through shared infrastructure, despite its distinct tactics, techniques, and procedures (TTPs) that differ from typical China-based threat actors.
The cybersecurity firm notes that Phantom Taurus uses operational infrastructure exclusively tied to Chinese APTs and focuses on high-value organizations such as ministries of foreign affairs and embassies, entities closely aligned with China’s strategic economic and geopolitical goals. What distinguishes this group is its unique set of TTPs, including the deployment of custom malware families like Specter, Net-Star, and Ntospy. At the same time, the group also employs tools commonly used by Chinese hackers, such as China Chopper, the Potato suite, and Impacket.
Phantom Taurus has been observed in attacks across Africa, the Middle East, and Asia, where it infiltrates email servers to steal sensitive messages and directly targets databases. In 2025, the group began using Net-Star, a .NET malware suite designed to compromise IIS web servers. This suite includes three web-based backdoors: IIServerCore, a fileless backdoor, and two variants of AssemblyExecuter, which serve as .NET malware loaders.
IIServerCore operates entirely in memory, enabling it to receive and execute payloads and arguments, then send results back to the attackers’ command-and-control (C&C) server. It comes with built-in commands for file system operations, database access, arbitrary code execution, web shell management, evasion of security solutions, in-memory payload loading, and encrypted C&C communications.
The first loader, AssemblyExecuter V1, executes other .NET assemblies in memory, giving attackers the ability to load and run additional malicious code dynamically after the initial compromise. AssemblyExecuter V2 serves the same core purpose but includes improved evasion features, with specific methods designed to bypass Windows security mechanisms like the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW).
Palo Alto Networks emphasized that the group shows a consistent interest in diplomatic communications, defense intelligence, and the internal operations of key government ministries. The timing and scope of Phantom Taurus’s activities often align with major global events and pressing regional security matters, underscoring the strategic nature of its campaigns.
(Source: Security Week)
