When people talk about Chinese cyber-espionage, the same names usually dominate the headlines: APT27, Winnti, Mustang Panda… well-known groups tied to state-sponsored intelligence operations. But behind the scenes, there is another player—one far quieter, far more elusive, and far more dangerous.

Meet Phantom Taurus—a group so stealthy that it managed to infiltrate foreign ministries, embassies, and telecommunications networks for more than two and a half years without detection.

The world only learned its name on September 30, 2025, when researchers at Unit 42 (Palo Alto Networks) publicly exposed the operation. Until then, Phantom Taurus had been a ghost, silently siphoning diplomatic secrets across Africa, the Middle East, and Asia.

And the timing wasn’t random.
The operation was deeply intertwined with China’s diplomatic ambitions—especially during high-stakes geopolitical events where access to confidential communications gave Beijing a significant strategic edge.

The Riyadh Summit: A Perfect Backdrop for Espionage

December 7, 2022 — Riyadh, Saudi Arabia.
President Xi Jinping’s aircraft touches down, escorted by four Saudi fighter jets painting the sky in China’s colors. On the runway, Prince Faisal bin Bandar Al Saud welcomes Xi for the first ever China–Arab States Summit, a landmark moment meant to redefine China’s partnership with the Middle East.

Inside the conference rooms, leaders sign the Riyadh Declaration and announce a major upgrade in China–Saudi relations. Cameras flash, handshakes abound, every angle choreographed for global audiences.

But behind the photo ops, something else is happening—out of sight, out of mind, and far more consequential.

While diplomats negotiate face-to-face, Phantom Taurus is already inside their networks.

How the breach began

Unit 42’s investigation later revealed that the group infiltrated Microsoft Exchange servers belonging to ministries of foreign affairs involved in the summit. Their mission was chillingly precise:

Identify and collect emails containing the names “Xi Jinping” and “Peng Liyuan.”

Why?
Because China wanted to know exactly what its new “strategic partners” were saying about Xi behind closed doors. Was the Middle East fully on board with China’s regional ambitions? Were there concerns? Internal disagreements? Diplomatic hesitation?

Thanks to Phantom Taurus, Chinese intelligence was reading those answers in real time.

This is what modern espionage looks like—not spies in trench coats, but malware invisibly parsing diplomatic communications as events unfold.

From Suspicious Activity to a Newly Named APT

The Phantom Taurus story truly begins in June 2023, when Unit 42 analysts noticed a pattern of suspicious activity they labeled: CL-STA-0043

At first, it was just one cluster among hundreds—nothing that screamed “major espionage campaign.” But the deeper analysts dug, the clearer it became that something different was happening.

For months, researchers quietly gathered indicators, traced infrastructure, and mapped out attack techniques. By May 2024, the cluster had grown significant enough to earn an interim designation:

“Temporary Threat Group” — Operation Diplomatic Specter.

The name was fitting.
The activity resembled something out of a cyber-themed Tom Clancy novel—shadow operations, diplomatic targets, silent persistence.

But it wasn’t until mid-2025, after one more year of analysis, that Unit 42 made a formal attribution:

Phantom Taurus

A name inspired by Unit 42’s system of assigning constellations to nation-state actors:

• Taurus → China
• Ursa → Russia
• Pisces → North Korea
• Serpens → Iran

“Phantom” captured the group’s defining trait: operating undetected, sometimes for years, inside high-value diplomatic systems.

An Invisible Threat Aligned With China’s Strategic Objectives

Phantom Taurus didn’t strike randomly.
Its operations aligned closely with China’s geopolitical priorities:

• Belt and Road Initiative countries
• Telecommunications partners
• Countries negotiating defense or energy deals with Beijing
• States hosting summits with high-level Chinese officials

Anywhere China had diplomatic or strategic leverage to gain, Phantom Taurus was lurking in the digital shadows.

Their targets included:

• Ministries of foreign affairs
• Embassies and consulates
• National telecom operators
• Government IT infrastructure across Africa, the Middle East, and Asia

The goal wasn’t sabotage—it was intelligence dominance. And Phantom Taurus achieved exactly that by hiding in places where diplomats assume they are safest: their private servers, their secure email systems, and their restricted networks.

Inside the Phantom Taurus Toolset — NET-STAR, IIServerCore, and a New Generation of Fileless Espionage

If Phantom Taurus is the ghost, then NET-STAR is the invisible weapon that lets it haunt diplomatic networks without ever being seen.
NET-STAR is a custom-built malware framework entirely written in .NET, designed for long-term persistence, stealth, and high-value data exfiltration.

Its crown jewel is a fileless backdoor known as IIServerCore, a tool engineered to burrow into Microsoft IIS servers and operate entirely from memory.

This is where Phantom Taurus moves from geopolitical espionage into cutting-edge cyber operations.

IIServerCore: The Fileless Backdoor That Lives Only in Memory

Most malware leaves a footprint: files on disk, registry keys, suspicious processes, log entries.
“IIServerCore leaves nothing”, It runs exclusively inside w3wp.exe, the IIS worker process, making it almost indistinguishable from legitimate web traffic and server activity.

How it gets in: the OutlookEN.aspx web shell

Phantom Taurus uses a deceptively simple initial payload:

OutlookEN.aspx — an ASPX web shell that contains a Base64-encoded binary.

When triggered, the shell:

1. Decodes the binary directly in memory
2. Injects IIServerCore into the running IIS process
3. Launches a persistent fileless backdoor session

No executable files written to disk, no classic logs triggered — just code silently loaded into RAM. This is why Unit 42 researchers described Phantom Taurus as “a true ghost.”
Even digital forensics teams struggle to detect something that never touches the filesystem.

What IIServerCore Can Do: A Full Espionage Platform

Once inside, IIServerCore gives Phantom Taurus broad and granular control over the server environment.

Key Capabilities

• File system manipulation
  Copy, modify, delete, or monitor files without raising alerts.
• Database access
  Extract SQL Server data, including confidential state documents.
• Arbitrary code execution
  Run .NET assemblies or native code directly in memory.
• Web shell management
  Install, activate, and hide additional access points.
• Security bypassing
  Evade endpoint detection, antivirus tools, and logging.
• Encrypted C2 communication
  All traffic between the backdoor and the command server is encrypted end-to-end.

This toolkit isn’t built for smash-and-grab attacks. It’s built for years of covert surveillance.

AssemblyExecuter: A Modular Engine for Expanding Capabilities

IIServerCore doesn’t work alone. NET-STAR includes a second major tool: AssemblyExecuter, which loads and executes additional .NET modules on demand.

Why this matters

The group can:

• Update their capabilities without redeploying malware
• Adapt to new security tools
• Add specialized code for specific targets

Version 2 is even more dangerous

The second version of AssemblyExecuter includes built-in techniques to bypass two major Windows security layers:

• AMSI (Antimalware Scan Interface)
  Used by Microsoft Defender and most antivirus products to scan scripts.
• ETW (Event Tracing for Windows)
  Used for system logging and behavioral detection.

With AMSI and ETW disabled or bypassed, Phantom Taurus can execute malicious code even in highly monitored networks, including government environments with strict security compliance.

This level of stealth is typically reserved for the most advanced nation-state APTs — and Phantom Taurus shows it has reached that tier.

Timestomping: The Art of Manipulating Digital Clocks

One of Phantom Taurus’s most clever tricks is timestomping—modifying the timestamps of files to make them look old, harmless, and ignored.

How Phantom Taurus uses timestomping

• The OutlookEN.aspx web shell was altered to match the timestamp of another legitimate ASPX file already on the server.
• NET-STAR components had their compilation timestamps modified to appear as if they were built years earlier.
• Some backdoors were even given future timestamps to confuse forensic tools.

To an analyst reviewing server logs, everything appears normal:

• This file has been here since 2018.
• This component hasn’t changed in years.

Unless investigators dig deep, most won’t question a file that looks older than the system itself. It’s simple, brilliant, and highly effective.

Exchange Exploits: Mining Diplomatic Emails at Scale

For most of its early years, Phantom Taurus was hyper-focused on compromising Microsoft Exchange servers. These servers are central hubs for ministries of foreign affairs and embassies — making them perfect targets.

They exploited well-known vulnerabilities:

• ProxyLogon (CVE-2021-26855)
• ProxyShell (CVE-2021-34473)

Once in, they would:

1. Dump entire email mailboxes
2. Filter for keywords related to Chinese strategic interests
3. Extract conversations about leaders like Xi Jinping, Peng Liyuan, Joe Biden, and others
4. Track military, telecom, and energy-related discussions

This wasn’t random keyword scraping. It was targeted intelligence gathering aligned with state-level priorities. But by early 2025, Phantom Taurus took things further.

From Email Mining to Database Mining: A Strategic Evolution

In 2025, Phantom Taurus began shifting focus away from emails and toward direct SQL database access, where even more sensitive information resides.

Their weapon of choice:
mssq.bat, a custom batch script designed for stealthy SQL data extraction.

What mssq.bat does

• Uses a stolen sa (SQL admin) account
• Executes dynamic SQL queries
• Searches for specific intelligence-related keywords
• Stores query results in CSV format
• Uses WMI (Windows Management Instrumentation) for remote execution

Unit 42 observed Phantom Taurus using the script to search for documents related to:

• Afghanistan
• Pakistan
• Regional security operations

This shift from Exchange to SQL shows a group that is:

• adapting its techniques,
• widening its intelligence reach,
• and focusing on higher-value data often unavailable in standard email discussions.

It’s an evolution that signals growing maturity and operational sophistication.

Strategic Analysis — What Phantom Taurus Reveals About China’s Cyber-Espionage Doctrine

Phantom Taurus doesn’t operate in isolation. It fits neatly into China’s broader “cyber-intelligence ecosystem,” where multiple state-backed groups share infrastructure, resources, and long-term objectives.

Shared Infrastructure, Separate Tools

Unit 42 discovered that Phantom Taurus uses command-and-control infrastructure overlapping with several major Chinese APTs:

• Iron Taurus (APT27)
• Starchy Taurus (Winnti / APT41)
• Stately Taurus (Mustang Panda)

These groups often use:

• The same IP ranges
• Similar malicious domains
• Shared hosting providers
• Identical registration patterns

At first glance, this appears to confirm coordinated state-level activity — and it does.

But the real sophistication lies in the compartmentalization.

Even though they share servers:

• Phantom Taurus uses unique malware
• Their NET-STAR toolkit does not appear in other APT operations
• They maintain strict separation of operational artifacts
• Their tradecraft is uniquely focused on diplomatic intelligence

It’s like several intelligence agencies working in the same building but each guarding its own classified rooms.

This hybrid model — shared infrastructure, isolated capabilities — lowers costs while maximizing stealth and operational security.

It is one of the reasons China’s cyber apparatus can scale so aggressively.

Persistent Access: The Signature of Phantom Taurus

Most cyber-espionage groups disappear for months after being publicly exposed.
They reset, rebuild tooling, and reconfigure infrastructure.

Phantom Taurus does the opposite.

Unit 42 documented a case where the group maintained access to a foreign ministry network for nearly two full years, quietly exfiltrating sensitive diplomatic data whenever geopolitical events required it.

Even after discovery, they were often back online within hours or days, not months.

This reveals three key characteristics:

1. Long-term intelligence priorities

They don’t steal data for quick wins.
They maintain access for multi-year operations tied to China’s diplomatic calendar.

2. Highly agile operational workflows

Their infrastructure and tools can be rotated rapidly.
Exposure doesn’t force them into long dormancy periods.

3. State-level support and resourcing

Operating continuously after public attribution is something only nation-state groups can realistically pull off.

This is why Phantom Taurus stands out even among China’s advanced threat actors.

A Wider Pattern: China’s Espionage Strategy in Action

To understand Phantom Taurus, it helps to consider an earlier example:
the African Union headquarters breach in Addis Ababa.

The building — financed and built by China — was later discovered to have:

• Servers preconfigured to automatically send data to Shanghai every night
• Two hours of nightly exfiltration logs
• Hidden microphones in conference rooms and walls
• Hardware implants inside core infrastructure

This operation lasted five years before discovery.

Phantom Taurus is the same playbook — but executed through software instead of hardware, and at planetary scale.

Their focus on:

• diplomacy,
• foreign ministries,
• embassies,
• and telecom networks

aligns perfectly with China’s long-term geopolitical priorities, especially in regions where it seeks influence.

In other words: Phantom Taurus is not a rogue cyber group.
It is part of a larger strategic framework of persistent, proactive, and evolving intelligence collection.

How Defenders Are Responding

Palo Alto Networks has already updated its security products to detect the NET-STAR framework.

For example, Cortex XDR can now flag suspicious behavior when:

• w3wp.exe (IIS worker process) spawns child processes like cmd.exe or powershell.exe.
• Fileless execution patterns indicate .NET assemblies loading directly in memory.
• AMSI and ETW bypass techniques are detected in runtime environments.

These behavioral analytics help expose IIServerCore even when it leaves no files on disk.

But Phantom Taurus will evolve. Public exposure almost guarantees that NET-STAR will be rewritten, rebuilt, or replaced. Expect upgraded versions, new TTPs, and more advanced evasion capabilities in the coming months and years.

Conclusion:

Phantom Taurus shows how modern espionage has moved far beyond intercepted calls and human informants.
Today, intelligence dominance is achieved by silently living inside the digital arteries of diplomacy:

• foreign ministries
• embassies
• telecom operators
• government data centers

While the world focuses on ransomware attacks and cyber-crime headlines, Phantom Taurus continues operating in the shadows, quietly collecting some of the most sensitive diplomatic intelligence on the planet.

And the unsettling part?
They are still active.

As long as geopolitical competition intensifies, groups like Phantom Taurus won’t just persist — they will expand, adapt, and become even harder to detect.

In the new era of global cyber warfare, the most dangerous adversaries won’t be the loudest.
They will be the ghosts.

Sources

1. Unit 42 – Phantom Taurus: A New Chinese Nexus APT
   Detailed threat intelligence report analyzing the Phantom Taurus group, NET-STAR malware framework, IIServerCore backdoor, and operational activity patterns released by Palo Alto Networks’ Unit 42 researchers.
2. Palo Alto Networks – Defending Against Phantom Taurus with Cortex XDR
   Technical advisory outlining detection techniques, behavioral analytics, and security updates designed to identify fileless IIS attacks and the NET-STAR toolkit.
3. CISA – Countering Chinese State-Sponsored Cyber Threat Actors
   Guidance published by the Cybersecurity and Infrastructure Security Agency summarizing Chinese APT tactics, tools, and long-term espionage strategies, including overlaps with groups like APT27 and APT41.
4. Council on Foreign Relations – African Union Headquarters Bugged by China
   Investigative report detailing China’s multi-year espionage operation inside the African Union headquarters, including nightly data exfiltration and hidden surveillance devices.
5. Microsoft Security Response Center – ProxyLogon & ProxyShell Vulnerabilities (CVE-2021-26855 / CVE-2021-34473)
   Official documentation and technical analysis of the Exchange Server vulnerabilities exploited widely by state-backed APT groups, including Phantom Taurus.
6. Mitre ATT&CK Framework – Chinese State-Linked APT Groups
   Public classifications, techniques, and TTP references used by nation-state cyber actors aligned with the Chinese government, contributing to attribution assessments.