China🇨🇳 CN14 malware familiesExploits CVEs in the wild

Phantom Taurus

Also known asphantom_taurus

Phantom Taurus is a previously undocumented China-aligned, PRC state-interest-aligned nation-state espionage actor identified by Palo Alto Networks Unit 42. Unit 42 reported the group has operated for roughly two and a half years, targeting government and telecommunications organizations across Africa, the Middle East, and Asia. Reported targeting includes ministries of foreign affairs, embassies, diplomats, foreign ministries, and entities connected to geopolitical events, military operations, diplomatic communications, defense-related intelligence, and critical governmental ministry operations. The group’s primary objective is espionage and long-term intelligence collection of sensitive, non-public information. Unit 42 tracked this activity previously as CL-STA-0043, later promoted it to temporary group TGR-STA-0043 under the campaign name Operation Diplomatic Specter, and then elevated it to the distinct threat group Phantom Taurus. Unit 42 assessed Phantom Taurus uses a shared Chinese APT operational infrastructure ecosystem also associated with Iron Taurus (APT27), Starchy Taurus (Winnti), and Stately Taurus (Mustang Panda), while also maintaining compartmentalized infrastructure components not observed in other actors’ operations. Observed tooling includes China Chopper, the Potato suite, and Impacket, as well as customized tooling including the Specter malware family, Ntospy, and the NET-STAR malware suite. NET-STAR is a .NET malware suite targeting IIS web servers and includes three web-based backdoors: IIServerCore, AssemblyExecuter v1, and AssemblyExecuter v2. Reported characteristics include fileless and in-memory execution within w3wp.exe, encrypted C2, cookie-based session handling, loading via the OutlookEN.aspx web shell, timestomping, and AMSI and ETW bypass capabilities in AssemblyExecuter v2. Unit 42 reported Phantom Taurus initially focused on compromising Microsoft Exchange and stealing targeted emails, then evolved in early 2025 toward direct database theft. In that shift, the group used a batch script named mssq.bat, executed remotely via WMI, to authenticate to SQL Server using previously obtained credentials, run operator-supplied queries, and export results to CSV for exfiltration. Reported searches included information related to Afghanistan and Pakistan. The group is described as stealthy, persistent, and adaptive, with operations often coinciding with major global events and regional security affairs.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Software & Services
Telecommunication Services
Government & Administration

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics9 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

2 techniques

T1190

Exploit Public-Facing Application

T1566

Phishing

TA0002

Execution

3 techniques

T1047

Windows Management Instrumentation

T1059

Command and Scripting Interpreter

T1106

Native API

TA0003

Persistence

1 technique

T1505

Server Software Component

T1505.003×2

Web Shell

TA0005

Stealth

1 technique

T1620

Reflective Code Loading

TA0009

Collection

1 technique

T1213

Data from Information Repositories

ARSENAL

Associated malware families

14 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

NET-STARPhantom Taurus uses multiple pieces of malware, including the newly identified NET-STAR malware suite, which consists of three distinct web-based backdoors.9May 25, 2026

China Chopper“The group uses common Chinese nation-state hacking tools such as the China Chopper web shell...”6Mar 18, 2026

Impacket“The group uses common Chinese nation-state hacking tools such as the China Chopper web shell, Potato suite and Impacket...”4Mar 18, 2026

NtospyThese include the Specter malware family, Ntospy and NET-STAR, a newly identified malware suite.4Mar 18, 2026

SpecterThese include the Specter malware family, Ntospy and NET-STAR, a newly identified malware suite.4Mar 18, 2026

9 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2021-26855ProxyLogon SSRF in Microsoft Exchange ServerIn the wildEvidence1

"...prior intrusions have weaponized vulnerable on-premises Internet Information Services (IIS) and Microsoft Exchange servers, abusing flaws like ProxyLogon and ProxyShell, to infiltrate target networks."

CVE-2021-34473ProxyShell pre-auth SSRF/authentication bypass in Microsoft Exchange AutodiscoverIn the wildEvidence1

IOCS

Observables

4 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

4 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app

the hacker newsNews

Oct 6, 2025

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

Phantom Taurus is a Chinese nation-state threat actor conducting cyber-espionage campaigns targeting high-value government and military entities in Africa, the Middle East, and Asia, using custom toolkits.

securityaffairsNews

Oct 5, 2025

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 65

Named APT/activity cluster described as a China-linked nexus, associated with discovery/use of the NET-STAR malware suite.

securityaffairsNews

Oct 5, 2025

Security Affairs newsletter Round 544 by Pierluigi Paganini – INTERNATIONAL EDITION

Phantom Taurus, a China-linked APT, is conducting espionage campaigns against key sectors using the Net-Star malware suite.

ctoatncsc substackNews

Oct 4, 2025

CTO at NCSC Summary: week ending October 5th

China-aligned espionage activity targeting government and telecom organizations across Africa, the Middle East, and Asia; uses shared China APT infrastructure with apparent operational compartmentalization and a mix of commodity and custom tooling.

+11 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal14

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables4

Domains, IPs, and hashes tied to this actor, refreshed continuously.