"Unit 42 first spotted this cluster of attackers in 2022 and has kept an eye on it ever since. On Tuesday the infosec investigators decided the group is worthy of a name - "Phantom Taurus" - because it has developed novel tactics, techniques, and procedures (TTPs) in pursuit of military and diplomatic targets across Asia, the Middle East, and Africa."
""We observed that the group takes an interest in diplomatic communications, defense-related intelligence and the operations of critical governmental ministries," the researchers wrote, and noted the group's ops align with China's interests and "frequently coincide with major global events and regional security affairs." Unit 42 says the group first targeted email systems, then switched to attacks on databases by using stolen credentials."
""The NET-STAR malware suite demonstrates Phantom Taurus' advanced evasion techniques and a deep understanding of .NET architecture, representing a significant threat to internet-facing servers," the threat hunters wrote, before explaining the suite includes three backdoors: IIServerCore: A fileless modular backdoor that supports in-memory execution of command-line arguments, arbitrary commands and payloads AssemblyExecuter V1: Loads and executes additional .NET payloads in memory AssemblyExecuter V2: An enhanced version of AssemblyExecuter V1 that is also equipped with Antimalware Scan Interfac"
A cluster of attackers first appeared in 2022 and has evolved into an actor designated Phantom Taurus. The group targets military and diplomatic communications plus critical government ministries across Asia, the Middle East, and Africa. Operations align with China's strategic interests and frequently coincide with major global and regional security events. Initial compromises focused on email systems, later shifting to database access using stolen credentials and shared infrastructure from other China-linked actors. The group now operates proprietary infrastructure and deploys a .NET-based NET-STAR malware suite designed to target IIS web servers, including multiple in-memory backdoors.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]