New China APT Strikes With Precision and Persistence - Dark Reading

CYBERATTACKS & DATA BREACHES CYBER RISK THREAT INTELLIGENCE VULNERABILITIES & THREATS NEWS New China APT Strikes With Precision and Persistence Phantom Taurus demonstrates a deep understanding of Windows environments, including advanced components like IIServerCore, a fileless backdoor that executes in memory to evade detection. Jai Vijayan,Contributing Writer September 30, 2025 4 Min Read SOURCE: MACHOLICIOUS VIA SHUTTERSTOCK A previously undocumented Chinese nation-state actor has been targeting government agencies, embassies, military operations, and other entities across Africa, the Middle East, and Asia in a cyber-espionage operation as sophisticated as it is stealthy and persistent. What makes the campaign different from other China-nexus activity is the threat actor's strategy of going directly after high-value systems at organizations of interest instead of the usual social engineering of end users. Surgical Precision "Phantom Taurus sets itself apart from other Chinese APTs through a combination of its surgical precision, unprecedented persistence, and its use of a highly sophisticated, custom-built toolkit," says Assaf Dahan, director, threat research, at Palo Alto Network's Unit 42 group. Unlike many Chinese threat actors who rely on broad phishing campaigns, Phantom Taurus's playbook is far more surgical, says Dahan, whose team has been tracking the activity since June 2023. Related:Nation-State Actor Embraces AI Malware Assembly Line Phantom Taurus actors often bypass users entirely by meticulously researching and then directly targeting critical infrastructure, such as vulnerable web and email servers, he says. "This focused approach allows them to pinpoint the exact systems and individuals that will grant them access to their desired information." Amplifying the threat is Phantom Taurus's persistence. Unlike most APTs that go dark for weeks or months after discovery to retool, Phantom Taurus resurfaces within hours or days, Dahan says. "This willingness to risk re-exposure underscores the critical nature of their missions and their determination to maintain access at all costs." Unit 42 originally tracked the threat actor as CL-STA-0043 and later as TGR-STA-0043, aka "Operation Diplomatic Specter." The security vendor recently decided to formally designate the group as a new China-linked APT after analyzing threat activity over the past year. In a nutshell, Phantom Taurus's mission appears to be to collect sensitive and non-public information of economic and geopolitical interest to the Chinese government. This has included diplomatic communication, military intelligence, and other government information particularly around major regional and global events. Initially, the threat actor gathered this information by infiltrating email servers and stealing messages from victim organizations. More recently, Phantom Taurus has begun also going directly after databases containing the data they seek. Since early this year, the threat actor has been using the script "mssq.bat" to connect to SQL Server databases using previously obtained systems admin credentials. The group has then been using custom SQL queries to search for specific tables and keywords on the compromised system, exporting all matching results and then closing the connection. Related:Life Mirrors Art: Ransomware Hits Hospitals on TV & IRL New .NET Malware Suite In addition, Unit 42 discovered Phantom Taurus using a new .NET malware suite it is tracking as NET-STAR to breach Internet Information Services (IIS) Web servers. The malware operates almost entirely in memory and consists of a fileless backdoor that establishes encrypted command-and-control (C2) sessions. The backdoor (IIServerCore) accepts commands and encoded .NET payloads and can execute different tasks, including arbitrary code execution on compromised systems. To evade easy detection, the threat actor alters filesystem timestamps so they match timestamps of other files on the system. Unit 42 researchers also found NET-STAR includes two AssemblyExecuter loaders (v1 and an enhanced v2) that allow Phantom Taurus actors to dynamically load additional .NET malware. The newer v2 version, according to Unit 42, adds advanced evasion techniques such as Antimalware Scan Interface (AMSI) bypass and Event Tracing for Windows (ETW) bypass. Related:The Case for Why Better Breach Transparency Matters "This toolkit demonstrates a deep understanding of Windows environments and includes advanced components like IIServerCore, a fileless backdoor that executes in memory to evade detection," Dahan says. "AssemblyExecuter V2, [is] a payload with built-in capabilities to bypass modern security tools like the AMSI and ETW, effectively blinding an organization's defenses." Phantom Taurus's operational methods are supported by other custom malware, as well. "For email exfiltration, they deploy a previously undocumented family of backdoors named TunnelSpecter and SweetSpecter to compromise mail servers and steal entire mailboxes based on keyword searches related to topics like OPEC, military intelligence, and international relations," Dahan says. Interestingly, while Phantom Taurus employs tactics and techniques that are different from other China-aligned advanced persistent threats, a lot of its attack infrastructure is not. Unit 42 found the threat actor using servers and other infrastructure that had clear overlaps with other known Chinese APT groups, such as Iron Taurus (aka APT27), Starchy Taurus (aka Winnti) and Stately Taurus (aka Mustang Panda), Dahan says. The C2 that Phantom Taurus is using has the same IP addresses as those used by other threat groups, many of the malicious domains in its campaign have the same registration information and the same hosting providers, he adds. About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBERATTACKS & DATA BREACHES Oracle Appears to Admit Breach of 2 'Obsolete' Servers by Jai Vijayan, Contributing Writer APR 09, 2025 CYBERATTACKS & DATA BREACHES Malaysian Airport's Cyber Disruption a Warning for Asia by Robert Lemos, Contributing Writer APR 02, 2025 CYBERATTACKS & DATA BREACHES Security Expert Troy Hunt Lured in by Mailchimp Phish by Kristina Beek, Associate Editor, Dark Reading MAR 26, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE