"A newly-discovered threat group linked to China is targeting governments, the military, and other critical bodies across Africa, the Middle East, and Asia for espionage. Palo Alto Networks said the group, which it has dubbed Phantom Taurus, belongs in the top tier of global threats. "This is largely due to their targeting of both high-level geopolitical intelligence and entities (embassies, foreign ministries, diplomats) and critical telecommunications infrastructure, making them very much a dual threat," the researchers warned."
"Alongside more common tools, such as China Chopper, the Potato suite, and Impacket, the group uses customized tools, including the Specter malware family and Ntospy. It's also been able to maintain long-term access to critical targets through a custom-built malware suite called NET-STAR. Since 2023, Phantom Taurus has focused on stealing sensitive and specific emails of interest from email servers - but has more recently shifted to the direct targeting of databases using a script named mssq.bat."
"This connects to an SQL Server database with a given server name, a user ID named sa (system administrator), and a password that the attackers previously obtained. It then reads the SQL query provided in the command-line arguments by the group's operators, allowing dynamic searching for tables and specific keywords. Finally, it executes the provided query and returns the results that match the user's search, exports the results to a CSV file, and closes the database connection."
Phantom Taurus is a China-linked cyber-espionage group targeting governments, militaries, embassies, foreign ministries, diplomats, and telecommunications infrastructure across Africa, the Middle East, and Asia. The group has operated for two years using distinctive tactics, techniques, and procedures to remain covert. Operators employ both commodity tools (China Chopper, the Potato suite, Impacket) and customized malware such as Specter, Ntospy, and a bespoke suite called NET-STAR that targets IIS web servers. Since 2023 the group prioritized extracting sensitive emails and recently shifted toward direct database compromise using a script named mssq.bat, which connects to SQL Server, executes custom queries, and exports results.
Read at IT Pro
Unable to calculate read time
Collection
[
|
...
]